Exhausted memory in address space and crash on SVG file




6 years ago
6 years ago


(Reporter: Attila Suszter, Unassigned)


({crash, testcase})

11 Branch
Windows 7
crash, testcase

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:dos])


(1 attachment)



6 years ago
Created attachment 617241 [details]
Fuzzed file and reduced testcase

Firefox 11.0 up-to-date crashes on specially crafted SVG file on Windows 7. Attached a reduced testcase (6915_reduced.svg), and the fuzzed file (69159edab2a7bbaccb71459093051ed9.svg).

I observed the followings with the reduced testcase.

The crash happens on int 3 instruction in mozalloc_abort(). This could indicate the memory allocation has failed.

(2bc8.3f20): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=741da4c8 edx=00000003 esi=7419e457 edi=741da392
eip=6b18195d esp=003e87a0 ebp=003e87ec iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
6b18195d cc              int     3

Looking at the memory usage summary it seems we exhausted the 4G address space [and that's why we cannot allocate more memory above].

0:000> !address -summary
-------------------- Usage SUMMARY --------------------------
    TotSize (      KB)   Pct(Tots) Pct(Busy)   Usage
   efe6b000 ( 3930540) : 93.71%    96.53%    : RegionUsageIsVAD
    777c000 (  122352) : 02.92%    00.00%    : RegionUsageFree
    583b000 (   90348) : 02.15%    02.22%    : RegionUsageImage
    1c00000 (   28672) : 00.68%    00.70%    : RegionUsageStack
          0 (       0) : 00.00%    00.00%    : RegionUsageTeb
     2e0000 (    2944) : 00.07%    00.07%    : RegionUsageHeap
    12ed000 (   19380) : 00.46%    00.48%    : RegionUsagePageHeap
       1000 (       4) : 00.00%    00.00%    : RegionUsagePeb
          0 (       0) : 00.00%    00.00%    : RegionUsageProcessParametrs
          0 (       0) : 00.00%    00.00%    : RegionUsageEnvironmentBlock
       Tot: ffff0000 (4194240 KB) Busy: f8874000 (4071888 KB)
Largest free region: Base 5e200000 - Size 001f0000 (1984 KB)

The stack trace might be different in crashes but we always seem to crash in mozalloc_abort(). Stack trace example #1 looks like below.

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
003e87ec 596a39f1 003ec588 ffdfc570 ffdfdba8 mozalloc!mozalloc_abort+0x2b
003e8960 59674d45 003ec588 ffda0c40 24a58ca0 xul!gfxFontGroup::GetFontAt+0x8cd1
003e89f0 596744c5 076d3c10 003ec588 ffdfdb48 xul!gfxContext::UserToDevicePixelSnapped+0x7465
003e8a28 59674416 003ec588 003e8a50 ffdfdb48 xul!gfxContext::UserToDevicePixelSnapped+0x6be5
003e8a58 596a37a0 003ec588 003e8aec ffdfdb48 xul!gfxContext::UserToDevicePixelSnapped+0x6b36
003e8b2c 5965b5d6 00000000 ffdfdb48 5965b663 xul!gfxFontGroup::GetFontAt+0x8a80
003e8b38 5965b663 59690196 ffdfdb48 00000000 xul!gfxFontGroup::GetUnderlineOffset+0x1456
003e8b3c 59690196 ffdfdb48 00000000 003ec640 xul!gfxFontGroup::GetUnderlineOffset+0x14e3
003e8b58 59776225 ffdfdb48 ffdfba10 ffdfd8b0 xul!gfxFontGroup::UpdateFontList+0xc266
003e8b74 5966b746 24a58c48 ffdfba10 24a58c48 xul!gfxWindowsSurface::CreateSimilarSurface+0xb04
00000000 00000000 00000000 00000000 00000000 xul!gfx3DMatrix::Is2D+0x42c6

Example #2 looks like below.

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
002d8164 5ef5e920 002d81b0 00000000 1bb38c00 mozalloc!mozalloc_abort+0x2b
002d81e4 5e7321ee 1bb38c48 002da8f0 002da900 xul!XRE_InitOmnijar+0x61eb9
002d82b4 5ef5e876 002da8f0 002da900 1bb38c00 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d82d4 5e7321ee 1bb38be8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d83a4 5ef5e876 002da8f0 002da900 1bb38ba0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d83c4 5ef5e97d 1bb386b0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d844c 5e7321ee 1bb386b0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d851c 5ef5e876 002da8f0 002da900 1bb38668 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d853c 5e7321ee 1bb38650 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d860c 5ef5e876 002da8f0 002da900 1bb38608 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d862c 5ef5e97d 1bb381d8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d86b4 5e7321ee 1bb381d8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d8784 5ef5e876 002da8f0 002da900 1bb38190 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d87a4 5e7321ee 1bb38178 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d8874 5ef5e876 002da8f0 002da900 1bb38130 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8894 5ef5e97d 1bb33d18 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d891c 5e7321ee 1bb33d18 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d89ec 5ef5e876 002da8f0 002da900 1bb33cd0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8a0c 5e7321ee 1bb33cb8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d8adc 5ef5e876 002da8f0 002da900 1bb33c70 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8afc 5ef5e97d 1bb33900 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d8b84 5e7321ee 1bb33900 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d8c54 5ef5e876 002da8f0 002da900 1bb338b8 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8c74 5e7321ee 1bb338a0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d8d44 5ef5e876 002da8f0 002da900 1bb33858 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8d64 5ef5e97d 1bb33548 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d8dec 5e7321ee 1bb33548 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d8ebc 5ef5e876 002da8f0 002da900 1bb33500 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8edc 5e7321ee 1bb334e8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d8fac 5ef5e876 002da8f0 002da900 1bb334a0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d8fcc 5ef5e97d 1b081178 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9054 5e7321ee 1b081178 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d9124 5ef5e876 002da8f0 002da900 1b081130 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9144 5e7321ee 1b081118 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9214 5ef5e876 002da8f0 002da900 1b0810d0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9234 5ef5e97d 13712de0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d92bc 5e7321ee 13712de0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d938c 5ef5e876 002da8f0 002da900 13712d98 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d93ac 5e7321ee 13712d80 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d947c 5ef5e876 002da8f0 002da900 13712d38 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d949c 5ef5e97d 137129d8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9524 5e7321ee 137129d8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d95f4 5ef5e876 002da8f0 002da900 13712990 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9614 5e7321ee 13712978 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d96e4 5ef5e876 002da8f0 002da900 13712930 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9704 5ef5e97d 13712630 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d978c 5e7321ee 13712630 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d985c 5ef5e876 002da8f0 002da900 137125e8 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d987c 5e7321ee 137125d0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d994c 5ef5e876 002da8f0 002da900 13712588 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d996c 5ef5e97d 137122e8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d99f4 5e7321ee 137122e8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d9ac4 5ef5e876 002da8f0 002da900 137122a0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9ae4 5e7321ee 13712288 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9bb4 5ef5e876 002da8f0 002da900 13712240 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9bd4 5ef5e97d 12a413a0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9c5c 5e7321ee 12a413a0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d9d2c 5ef5e876 002da8f0 002da900 12a41358 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9d4c 5e7321ee 12a41340 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9e1c 5ef5e876 002da8f0 002da900 12a412f8 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9e3c 5ef5e97d 12a41118 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002d9ec4 5e7321ee 12a41118 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002d9f94 5ef5e876 002da8f0 002da900 12a410d0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002d9fb4 5e7321ee 12a410b8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da084 5ef5e876 002da8f0 002da900 12a41070 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da0a4 5ef5e97d 12aa0eb0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da12c 5e7321ee 12aa0eb0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002da1fc 5ef5e876 002da8f0 002da900 12aa0e68 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da21c 5e7321ee 12aa0e50 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da2ec 5ef5e876 002da8f0 002da900 12aa0e08 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da30c 5ef5e97d 12aa0ce8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da394 5e7321ee 12aa0ce8 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002da464 5ef5e876 002da8f0 002da900 12aa0ca0 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da484 5e7321ee 12aa0c88 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da554 5ef5e876 002da8f0 002da900 12aa0c40 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da574 5ef5e97d 12aa0b80 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da5fc 5e7321ee 12aa0b80 002da8f0 002da900 xul!XRE_InitOmnijar+0x61f16
002da6cc 5ef5e876 002da8f0 002da900 12aa0b38 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da6ec 5e7321ee 12aa09c0 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da7bc 5ef5e876 002da8f0 002da900 12aa0978 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da7dc 5e7321ee 12aa0698 002da8f0 002da900 xul!XRE_InitOmnijar+0x61e0f
002da8ac 5ef5e800 002da8f0 002da900 12aa0650 xul!gfxSkipChars::BuildShortcuts+0x3e2e
002da914 5ef5e841 12aa0650 002dbb98 12aa13e0 xul!XRE_InitOmnijar+0x61d99
002dadec 5efd7c6c 0ffc4400 145b2700 002daf40 xul!XRE_InitOmnijar+0x61dda
002dae7c 5efe4d5b 0f4f34c0 002daf40 00000000 xul!mozilla::layers::CairoImageD3D10::GetAsSurface+0x1b17
002dafa0 5efe501b 0ffc4400 002dafb4 0ff4a3a0 xul!mozilla::layers::LayerManagerOGL::CreateShadowContainerLayer+0x828
002db008 5efe5025 091d58d0 5f588b2c 00000000 xul!mozilla::layers::LayerManagerOGL::CreateShadowContainerLayer+0xae8
002db068 5f01adcc 081c0970 091d58d0 081c0970 xul!mozilla::layers::LayerManagerOGL::CreateShadowContainerLayer+0xaf2
002db928 5f01b24c 00000000 002dbb98 3f800000 xul!mozilla::layers::LayerManagerD3D10::Render+0x1c
002db97c 5e754d64 5e7a5610 002dbb98 00000000 xul!mozilla::layers::LayerManagerD3D10::EndTransaction+0x40
002dba60 5e785df5 002dbb98 00000000 095d27f8 xul!mozilla::layers::ContainerLayer::SortChildrenBy3DZOrder+0x6cb4
002dbecc 5e8250a7 00000000 095d27f8 002dbfc0 xul!gfxFontGroup::UpdateFontList+0x1ec5
002dbf90 5e848688 00c4a040 081b7ad0 002dbfc0 xul!gfxASurface::Wrap+0x2dd7
002dbfec 5e766f84 00c4a040 081b7ad0 002dc168 xul!gfxASurface::SurfaceDestroyFunc+0x1cc5
002dc038 76cd0c91 013523f0 00000000 76cd0c9f xul!gfxSkipCharsIterator::IsOriginalCharSkipped+0x5aa4
002dc074 00c4a040 002dc088 002dc130 081b7ad0 USER32!GetClientRect+0x44
002dc210 7297eb8f 0000200a 00000000 002dc2a4 0xc4a040
002dc406 c448002d a3e9002d 7ad05e7c 07f4081b uxtheme!ThemeSystemParametersInfoA+0x43
002dc41a 000f5e74 c4500000 c454002d c440002d 0xc448002d
002dc41e c4500000 c454002d c440002d 0001002d 0xf5e74
002dc422 c454002d c440002d 0001002d 4deb0000 0xc4500000
002dc426 c440002d 0001002d 4deb0000 c4845e73 0xc454002d
002dc42a 0001002d 4deb0000 c4845e73 0000002d 0xc440002d
002dc42e 4deb0000 c4845e73 0000002d 00000000 0x1002d
002dc432 c4845e73 0000002d 00000000 4e3b0000 0x4deb0000
002dc436 00000000 00000000 4e3b0000 7ad05e73 0xc4845e73

I didn't encounter any memory corruption with full page heap enabled by gflags.

According to the information above it seems the bug is not exploitable for code execution. Added security flag until approval though.
Component: General → SVG
Product: Firefox → Core
QA Contact: general → general
Out of memory crashes that end up in mozalloc_abort are not exploitable, so unless this sometimes fails with a different stack this is not a security bug.
Group: core-security
Ever confirmed: true
Keywords: crash, testcase
Whiteboard: [sg:dos]
Attachment #617241 - Attachment mime type: text/plain → application/octet-stream
Does this happen on trunk? It's just possible bug 723441 fixes this.
(In reply to Robert Longson from comment #2)
> Does this happen on trunk? It's just possible bug 723441 fixes this.

Attila, you can test and answer Robert's question using:


Comment 4

6 years ago
> https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-
> central/firefox-15.0a1.en-US.win32.zip

It does happen with the above build, too. Fills up the memory and crashes in mozalloc_abort().
You need to log in before you can comment on or make changes to this bug.