Last Comment Bug 752902 - (CVE-2012-1951) Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased
(CVE-2012-1951)
: Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased
Status: RESOLVED FIXED
[asan][sg:high][advisory-tracking+][qa?]
: crash, sec-high, testcase
Product: Core
Classification: Components
Component: SVG (show other bugs)
: unspecified
: x86_64 Linux
: -- critical (vote)
: mozilla14
Assigned To: Brian Birtles (:birtles)
:
Mentors:
Depends on: 774028
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-08 07:31 PDT by Abhishek Arya
Modified: 2014-06-30 12:14 PDT (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
fixed
14+
fixed


Attachments
Testcase (393 bytes, image/svg+xml)
2012-05-08 07:31 PDT, Abhishek Arya
no flags Details
Proposed fix v1a (929 bytes, patch)
2012-05-20 19:11 PDT, Brian Birtles (:birtles)
dholbert: review+
Details | Diff | Review
Documentation for fix [to be landed after fix has shipped] (2.05 KB, patch)
2012-05-20 19:12 PDT, Brian Birtles (:birtles)
no flags Details | Diff | Review
Test case as a crashtest (1.07 KB, patch)
2012-05-20 19:14 PDT, Brian Birtles (:birtles)
dholbert: review+
Details | Diff | Review
Documentation for fix v1b [to be landed after fix has shipped] (2.12 KB, patch)
2012-05-20 19:23 PDT, Brian Birtles (:birtles)
dholbert: review+
Details | Diff | Review
Fix v1b; r=dholbert (927 bytes, patch)
2012-05-22 00:57 PDT, Brian Birtles (:birtles)
akeybl: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr10+
bbirtles: checkin+
Details | Diff | Review
Crashtest patch; r=dholbert [to be landed after the fix has shipped] (1.31 KB, patch)
2012-05-22 01:03 PDT, Brian Birtles (:birtles)
no flags Details | Diff | Review
Documentation for fix v1c; r=dholbert [to be landed after fix has shipped] (2.12 KB, patch)
2012-05-22 01:08 PDT, Brian Birtles (:birtles)
no flags Details | Diff | Review

Description Abhishek Arya 2012-05-08 07:31:43 PDT
Created attachment 621970 [details]
Testcase

Affects latest Aurora, Trunk

=================================================================
==26824== ERROR: AddressSanitizer heap-use-after-free on address 0x7f6d5ecb0b90 at pc 0x7f6d8e48de39 bp 0x7ffff4b4ca70 sp 0x7ffff4b4ca68
READ of size 4 at 0x7f6d5ecb0b90 thread T0
    #0 0x7f6d8e48de39 in nsSMILTimeValueSpec::IsEventBased() const firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:171
    #1 0x7f6d8e473023 in nsSMILTimedElement::EndHasEventConditions() const firefox/aurora/content/smil/nsSMILTimedElement.cpp:2291
    #2 0x7f6d8e45b1f7 in nsSMILTimedElement::GetNextInterval(nsSMILInterval const*, nsSMILInterval const*, nsSMILInstanceTime const*, nsSMILInterval&) const firefox/aurora/content/smil/nsSMILTimedElement.cpp:1696
    #3 0x7f6d8e454302 in nsSMILTimedElement::UpdateCurrentInterval(bool) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1998
    #4 0x7f6d8e4569f9 in nsSMILTimedElement::RemoveInstanceTimesForCreator(nsSMILTimeValueSpec const*, bool) firefox/aurora/content/smil/nsSMILTimedElement.cpp:484
    #5 0x7f6d8e48c069 in nsSMILTimeValueSpec::UnregisterFromReferencedElement(mozilla::dom::Element*) firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:307
    #6 0x7f6d8e48bcb2 in ~nsSMILTimeValueSpec firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:93
    #7 0x7f6d8e481942 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:105
    #8 0x7f6d8e46cf13 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106
    #9 0x7f6d8e480913 in nsTArrayElementTraits<nsAutoPtr<nsSMILTimeValueSpec> >::Destruct(nsAutoPtr<nsSMILTimeValueSpec>*) firefox/aurora/../../dist/include/nsTArray.h:381
    #10 0x7f6d8e480578 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242
    #11 0x7f6d8e480007 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964
    #12 0x7f6d8e46d03f in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::Clear() firefox/aurora/../../dist/include/nsTArray.h:975
    #13 0x7f6d8e46825c in nsSMILTimedElement::ClearSpecs(nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>&, nsTArray<nsRefPtr<nsSMILInstanceTime>, nsTArrayDefaultAllocator>&, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1331
    #14 0x7f6d8e4611a0 in nsSMILTimedElement::UnsetEndSpec(bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:904
    #15 0x7f6d8e465f36 in nsSMILTimedElement::UnsetAttr(nsIAtom*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:854
    #16 0x7f6d8e337423 in nsSVGAnimationElement::UnsetAttr(int, nsIAtom*, bool) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:411
    #17 0x7f6d8a157d03 in nsGenericElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/base/src/nsGenericElement.cpp:2746
    #18 0x7f6d8e2fd108 in nsSVGAnimateElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/svg/content/src/nsSVGAnimateElement.cpp:60
    #19 0x7f6d8e9b9aca in nsIDOMElement_RemoveAttribute(JSContext*, unsigned int, JS::Value*) firefox/aurora/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3961
    #20 0x7f6d97537821 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora/js/src/jscntxtinlines.h:314
    #21 0x7f6d9749e1cd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora/js/src/jsinterp.cpp:2757
    #22 0x7f6d9741e085 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora/js/src/jsinterp.cpp:475
    #23 0x7f6d97537f46 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.cpp:535
    #24 0x7f6d96e6d1d0 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.h:172
    #25 0x7f6d9753e0ab in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) firefox/aurora/js/src/jsinterp.cpp:567
    #26 0x7f6d96d15aff in JS_CallFunctionValue firefox/aurora/js/src/jsapi.cpp:5416
    #27 0x7f6d8e7f6d29 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJSClass.cpp:1509
    #28 0x7f6d8e79f328 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJS.cpp:617
    #29 0x7f6d92af2800 in PrepareAndDispatch firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
    #30 0x7f6d92aeff97 in SharedStub firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #31 0x7f6d8aad1759 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:818
    #32 0x7f6d8aad2b78 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:875
    #33 0x7f6d8ac5bdc7 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.h:170
    #34 0x7f6d8ac4a1b6 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:218
    #35 0x7f6d8ac47d0c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:346
    #36 0x7f6d8ac4dbb4 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:679
    #37 0x7f6d8854f2bf in DocumentViewerImpl::LoadComplete(unsigned int) firefox/aurora/layout/base/nsDocumentViewer.cpp:1071
    #38 0x7f6d8f6477f3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) firefox/aurora/docshell/base/nsDocShell.cpp:6200
    #39 0x7f6d8f63f601 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) firefox/aurora/docshell/base/nsDocShell.cpp:6031
    #40 0x7f6d8f6407e5 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0
    #41 0x7f6d8f73ff04 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:1384
    #42 0x7f6d8f73d915 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:962
    #43 0x7f6d8f736aa8 in nsDocLoader::DocLoaderIsEmpty(bool) firefox/aurora/uriloader/base/nsDocLoader.cpp:854
    #44 0x7f6d8f73b0cc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:736
    #45 0x7f6d8f73cc3d in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0
    #46 0x7f6d86e83279 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/netwerk/base/src/nsLoadGroup.cpp:731
    #47 0x7f6d89f98714 in nsDocument::DoUnblockOnload() firefox/aurora/content/base/src/nsDocument.cpp:7278
    #48 0x7f6d89f98191 in nsDocument::UnblockOnload(bool) firefox/aurora/content/base/src/nsDocument.cpp:7221
    #49 0x7f6d89f48e94 in nsDocument::DispatchContentLoadedEvents() firefox/aurora/content/base/src/nsDocument.cpp:4271
    #50 0x7f6d8a002c69 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() firefox/aurora/../../../dist/include/nsThreadUtils.h:345
    #51 0x7f6d929e530e in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora/xpcom/threads/nsThread.cpp:657
    #52 0x7f6d926733fd in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:245
    #53 0x7f6d91a65146 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/aurora/ipc/glue/MessagePump.cpp:110
    #54 0x7f6d92c9ca8a in MessageLoop::RunInternal() firefox/aurora/ipc/chromium/src/base/message_loop.cc:209
    #55 0x7f6d92c9c8d3 in MessageLoop::RunHandler() firefox/aurora/ipc/chromium/src/base/message_loop.cc:202
    #56 0x7f6d92c9c7b8 in MessageLoop::Run() firefox/aurora/ipc/chromium/src/base/message_loop.cc:176
    #57 0x7f6d90fabbde in nsBaseAppShell::Run() firefox/aurora/widget/xpwidgets/nsBaseAppShell.cpp:191
    #58 0x7f6d8fbd5c88 in nsAppStartup::Run() firefox/aurora/toolkit/components/startup/nsAppStartup.cpp:295
    #59 0x7f6d86c63fb2 in XREMain::XRE_mainRun() firefox/aurora/toolkit/xre/nsAppRunner.cpp:3780
    #60 0x7f6d86c6a112 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/aurora/toolkit/xre/nsAppRunner.cpp:3857
    #61 0x7f6d86c6d5c8 in XRE_main firefox/aurora/toolkit/xre/nsAppRunner.cpp:3933
    #62 0x40a7a3 in do_main(int, char**) firefox/aurora/browser/app/nsBrowserApp.cpp:190
    #63 0x40832e in main firefox/aurora/browser/app/nsBrowserApp.cpp:277
0x7f6d5ecb0b90 is located 16 bytes inside of 128-byte region [0x7f6d5ecb0b80,0x7f6d5ecb0c00)
freed by thread T0 here:
    #0 0x4a4272 in free ??:0
    #1 0x7f6d9e6ad673 in moz_free firefox/aurora/memory/mozalloc/mozalloc.cpp:82
    #2 0x7f6d8e48199f in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106
    #3 0x7f6d8e46cf13 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106
    #4 0x7f6d8e480913 in nsTArrayElementTraits<nsAutoPtr<nsSMILTimeValueSpec> >::Destruct(nsAutoPtr<nsSMILTimeValueSpec>*) firefox/aurora/../../dist/include/nsTArray.h:381
    #5 0x7f6d8e480578 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242
    #6 0x7f6d8e480007 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964
    #7 0x7f6d8e46d03f in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::Clear() firefox/aurora/../../dist/include/nsTArray.h:975
    #8 0x7f6d8e46825c in nsSMILTimedElement::ClearSpecs(nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>&, nsTArray<nsRefPtr<nsSMILInstanceTime>, nsTArrayDefaultAllocator>&, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1331
    #9 0x7f6d8e4611a0 in nsSMILTimedElement::UnsetEndSpec(bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:904
    #10 0x7f6d8e465f36 in nsSMILTimedElement::UnsetAttr(nsIAtom*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:854
    #11 0x7f6d8e337423 in nsSVGAnimationElement::UnsetAttr(int, nsIAtom*, bool) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:411
    #12 0x7f6d8a157d03 in nsGenericElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/base/src/nsGenericElement.cpp:2746
    #13 0x7f6d8e2fd108 in nsSVGAnimateElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/svg/content/src/nsSVGAnimateElement.cpp:60
    #14 0x7f6d8e9b9aca in nsIDOMElement_RemoveAttribute(JSContext*, unsigned int, JS::Value*) firefox/aurora/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3961
    #15 0x7f6d97537821 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora/js/src/jscntxtinlines.h:314
    #16 0x7f6d9749e1cd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora/js/src/jsinterp.cpp:2757
    #17 0x7f6d9741e085 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora/js/src/jsinterp.cpp:475
    #18 0x7f6d97537f46 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.cpp:535
    #19 0x7f6d96e6d1d0 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.h:172
    #20 0x7f6d9753e0ab in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) firefox/aurora/js/src/jsinterp.cpp:567
    #21 0x7f6d96d15aff in JS_CallFunctionValue firefox/aurora/js/src/jsapi.cpp:5416
    #22 0x7f6d8e7f6d29 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJSClass.cpp:1509
    #23 0x7f6d8e79f328 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJS.cpp:617
    #24 0x7f6d92af2800 in PrepareAndDispatch firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
    #25 0x7f6d92aeff97 in SharedStub firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #26 0x7f6d8aad1759 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:818
    #27 0x7f6d8aad2b78 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:875
    #28 0x7f6d8ac5bdc7 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.h:170
    #29 0x7f6d8ac4a1b6 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:218
previously allocated by thread T0 here:
    #0 0x4a4332 in malloc ??:0
    #1 0x7f6d9e6ad7c7 in moz_xmalloc firefox/aurora/memory/mozalloc/mozalloc.cpp:87
    #2 0x7f6d8e4676ed in nsSMILTimedElement::SetBeginOrEndSpec(nsAString_internal const&, mozilla::dom::Element*, bool, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1290
    #3 0x7f6d8e461779 in nsSMILTimedElement::SetEndSpec(nsAString_internal const&, mozilla::dom::Element*, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:897
    #4 0x7f6d8e461e32 in nsSMILTimedElement::SetAttr(nsIAtom*, nsAString_internal const&, nsAttrValue&, mozilla::dom::Element*, unsigned int*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:816
    #5 0x7f6d8e335a4d in nsSVGAnimationElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:360
    #6 0x7f6d8a193883 in nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) firefox/aurora/content/base/src/nsGenericElement.cpp:5261
    #7 0x7f6d8b68a3fb in nsXMLContentSink::AddAttributes(unsigned short const**, nsIContent*) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:1502
    #8 0x7f6d8b67c81f in nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int, bool) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:1056
    #9 0x7f6d8b67b02b in nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:980
    #10 0x7f6d8b67dd8d in non-virtual thunk to nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0
    #11 0x7f6d87c3f3d1 in nsExpatDriver::HandleStartElement(unsigned short const*, unsigned short const**) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:411
    #12 0x7f6d87c582a7 in Driver_HandleStartElement(void*, unsigned short const*, unsigned short const**) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:95
    #13 0x7f6d87d9c17a in doContent firefox/aurora/parser/expat/lib/xmlparse.c:2387
    #14 0x7f6d87d81499 in contentProcessor firefox/aurora/parser/expat/lib/xmlparse.c:2043
    #15 0x7f6d87d66c09 in doProlog firefox/aurora/parser/expat/lib/xmlparse.c:4024
    #16 0x7f6d87d61b82 in prologProcessor firefox/aurora/parser/expat/lib/xmlparse.c:3758
    #17 0x7f6d87dcf1f1 in prologInitProcessor firefox/aurora/parser/expat/lib/xmlparse.c:3575
    #18 0x7f6d87d46a01 in MOZ_XML_Parse firefox/aurora/parser/expat/lib/xmlparse.c:1520
    #19 0x7f6d87c51694 in nsExpatDriver::ParseBuffer(unsigned short const*, unsigned int, bool, unsigned int*) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:1020
    #20 0x7f6d87c52a93 in nsExpatDriver::ConsumeToken(nsScanner&, bool&) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:1121
    #21 0x7f6d87c54a62 in non-virtual thunk to nsExpatDriver::ConsumeToken(nsScanner&, bool&) firefox/aurora/modules/zlib/src/gzlib.c:0
    #22 0x7f6d87ce9a2b in nsParser::Tokenize(bool) firefox/aurora/parser/htmlparser/src/nsParser.cpp:2275
==26824== ABORTING
Stats: 132M malloced (146M for red zones) by 322256 calls
Stats: 40M realloced by 18232 calls
Stats: 103M freed by 211052 calls
Stats: 0M really freed by 0 calls
Stats: 312M (79916 full pages) mmaped in 78 calls
  mmaps   by size class: 8:262128; 9:49146; 10:16380; 11:16376; 12:2048; 13:2048; 14:1536; 15:384; 16:512; 17:128; 18:96; 19:56; 20:16;
  mallocs by size class: 8:245743; 9:42218; 10:13971; 11:14225; 12:2028; 13:1650; 14:1384; 15:271; 16:505; 17:105; 18:94; 19:49; 20:13;
  frees   by size class: 8:150073; 9:33717; 10:11296; 11:11665; 12:1405; 13:825; 14:1204; 15:230; 16:438; 17:92; 18:52; 19:45; 20:10;
  rfrees  by size class:
Stats: malloc large: 261 small slow: 1663
Shadow byte and word:
  0x1fedabd96172: fd
  0x1fedabd96170: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fedabd96150: fd fd fd fd fd fd fd fd
  0x1fedabd96158: fd fd fd fd fd fd fd fd
  0x1fedabd96160: fa fa fa fa fa fa fa fa
  0x1fedabd96168: fa fa fa fa fa fa fa fa
=>0x1fedabd96170: fd fd fd fd fd fd fd fd
  0x1fedabd96178: fd fd fd fd fd fd fd fd
  0x1fedabd96180: fa fa fa fa fa fa fa fa
  0x1fedabd96188: fa fa fa fa fa fa fa fa
  0x1fedabd96190: fd fd fd fd fd fd fd fd
Comment 1 Daniel Veditz [:dveditz] 2012-05-09 10:40:10 PDT
use-after-free in a destructor is probably hard to exploit (would there be time to cause something to be reallocated in the middle of killing things off?) but can't say it would be impossible.
Comment 2 Daniel Veditz [:dveditz] 2012-05-09 10:41:10 PDT
Created attachment 622413 [details]
inferno@chromium.org,3000,2012-05-08,2012-05-21,2012-05-23,true
Comment 3 Daniel Holbert [:dholbert] 2012-05-09 10:44:49 PDT
Brian, do you have cycles available to take this?
Comment 4 Brian Birtles (:birtles) 2012-05-10 23:10:50 PDT
(In reply to Daniel Holbert [:dholbert] from comment #3)
> Brian, do you have cycles available to take this?

I've been travelling so I haven't had a chance to fix it yet but I did have a chance to look at it. My guess it an extra auto update batcher at the end of UnsetEndSpec (and UnsetBeginSpec) would fix it.

I'll do it next Monday if that's ok?
Comment 5 Brian Birtles (:birtles) 2012-05-15 01:06:52 PDT
This bug is reported on Win 7 64-bit. Can we cross-compile asan builds or is there some way to produce asan builds on windows?
Comment 6 Abhishek Arya 2012-05-15 06:15:54 PDT
Sorry. Wrong platform in there.
Comment 7 Brian Birtles (:birtles) 2012-05-18 01:27:32 PDT
Update before the weekend: I have a two-line patch that fixes this but I suspect it's treating the symptoms and not the root cause. I want to look into this a bit more.
Comment 8 Brian Birtles (:birtles) 2012-05-20 19:11:19 PDT
Created attachment 625539 [details] [diff] [review]
Proposed fix v1a

Here's the fix.

The issue is that in nsSMILTimedElement::ClearSpecs we destroy the array of nsSMILTimeValueSpec objects but their dtors may (in some cases of cyclic dependencies such as the attached test case) trigger callbacks to the same nsSMILTimedElement that is deleting them causing us to read the array where some of the objects have been deleted.

This patch unlinks the specs as a separate step so that if there are any callbacks, they happen before the objects get destroyed.

As an extra measure I've also batched updates so that the callbacks won't trigger an update (which is where we read the array) until after the array has been cleared. It also saves some busy work.

I've verified that the unlink step alone fixes the problem without the extra update-batching measure.

I've documented this in a follow-up patch.
Comment 9 Brian Birtles (:birtles) 2012-05-20 19:12:57 PDT
Created attachment 625540 [details] [diff] [review]
Documentation for fix [to be landed after fix has shipped]

I've split the documentation into a separate patch:
* so as not to give any hints about how to exploit this in the interim before this ships
* to minimise the size of the original fix patch in case we want to land it on other branches
Comment 10 Brian Birtles (:birtles) 2012-05-20 19:14:08 PDT
Created attachment 625542 [details] [diff] [review]
Test case as a crashtest

The original test case, slightly simplified and turned into a crashtest.

Is there any point in landing this? Do we produce asan builds regularly and run crashtests with them?
Comment 11 Brian Birtles (:birtles) 2012-05-20 19:15:06 PDT
(In reply to Brian Birtles (:birtles) from comment #10)
> Is there any point in landing this? Do we produce asan builds regularly and
> run crashtests with them?

(That is to say, this "crash test" doesn't actually crash a regular build or have any noticeable side effects)
Comment 12 Brian Birtles (:birtles) 2012-05-20 19:17:10 PDT
Sorry for the delay on this--my VM died and it took a long time to build a new image capable of producing asan builds.
Comment 13 Brian Birtles (:birtles) 2012-05-20 19:23:48 PDT
Created attachment 625543 [details] [diff] [review]
Documentation for fix v1b [to be landed after fix has shipped]

Revise documentation
Comment 14 Daniel Holbert [:dholbert] 2012-05-21 11:15:31 PDT
Comment on attachment 625539 [details] [diff] [review]
Proposed fix v1a

>+  PRUint32 count = aSpecs.Length();
>+  for (PRUint32 i = 0; i < count; ++i) {
>+    aSpecs[i]->Unlink();
>+  }

I'd drop 'count' there & just directly check 'aSpecs.Length()' in the loop condition. (It just returns the value of a member var, and I suspect it'll be inlined anyway, so there's no benefit to caching its return value.)

r=me with that
Comment 15 Daniel Holbert [:dholbert] 2012-05-21 11:26:49 PDT
Comment on attachment 625542 [details] [diff] [review]
Test case as a crashtest

(In reply to Brian Birtles (:birtles) from comment #11)
> (In reply to Brian Birtles (:birtles) from comment #10)
> > Is there any point in landing this? Do we produce asan builds regularly and
> > run crashtests with them?
> 
> (That is to say, this "crash test" doesn't actually crash a regular build or
> have any noticeable side effects)

I think it is worth landing, though it might be good to add a header comment mentioning ASAN & the fact that this never actually crashed.

That way, if we start running ASAN over our crashtests at some point in the future (which might be a good idea), we've got this in there as a regression test.

Plus, this is also useful as an "interesting" testcase for fuzzers to start with & tweak to spin off variants from.  (I think some of our fuzzers use our test suites for that purpose.)
Comment 16 Daniel Holbert [:dholbert] 2012-05-21 11:32:15 PDT
(In reply to Brian Birtles (:birtles) from comment #12)
> Sorry for the delay on this--my VM died and it took a long time to build a
> new image capable of producing asan builds.

No worries -- thanks for fixing it!
Comment 17 Brian Birtles (:birtles) 2012-05-22 00:57:02 PDT
Created attachment 625917 [details] [diff] [review]
Fix v1b; r=dholbert

Address review feedback. Thanks Daniel!
Comment 18 Brian Birtles (:birtles) 2012-05-22 01:03:28 PDT
Created attachment 625918 [details] [diff] [review]
Crashtest patch; r=dholbert [to be landed after the fix has shipped]

Address review feedback
Comment 19 Brian Birtles (:birtles) 2012-05-22 01:08:08 PDT
Created attachment 625920 [details] [diff] [review]
Documentation for fix v1c; r=dholbert [to be landed after fix has shipped]

Rebase documentation patch off changes to fix patch.
Comment 20 Brian Birtles (:birtles) 2012-05-22 16:22:34 PDT
Pushed fix to m-i:
https://hg.mozilla.org/integration/mozilla-inbound/rev/003306c4fe88
Comment 21 Ed Morley [:emorley] 2012-05-23 04:59:26 PDT
https://hg.mozilla.org/mozilla-central/rev/003306c4fe88
Comment 22 Daniel Veditz [:dveditz] 2012-05-24 16:42:47 PDT
I assume we need this patch on Aurora (Fx14), what about ESR-10?
Comment 23 Brian Birtles (:birtles) 2012-05-27 15:50:09 PDT
(In reply to Daniel Veditz [:dveditz] from comment #22)
> I assume we need this patch on Aurora (Fx14), what about ESR-10?

Although it seems difficult to exploit it would be nice to land this in ESR-10 so we can land the follow-up patches sooner (crashtest plus extra documentation).
Comment 24 Daniel Veditz [:dveditz] 2012-06-14 16:23:29 PDT
Please request beta approval to land this in Firefox 14.
Comment 25 Brian Birtles (:birtles) 2012-06-22 18:05:34 PDT
Comment on attachment 625917 [details] [diff] [review]
Fix v1b; r=dholbert

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:n/a
User impact if declined: Potential security exploit (reading free'd memory)
Fix Landed on Version: 15
Risk to taking this patch (and alternatives if risky): As yet undiscovered side-effects. Patch is only four lines so it should be minimal.
String or UUID changes made by this patch: None

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 474743?
User impact if declined: Potential security exploit (reading free'd memory)
Testing completed (on m-c, etc.): m-c, Aurora (landed 1 month ago)
Risk to taking this patch (and alternatives if risky): As yet undiscovered side-effects. Patch is only four lines so it should be minimal.
String or UUID changes made by this patch: none
Comment 26 Alex Keybl [:akeybl] 2012-06-24 12:16:11 PDT
Comment on attachment 625917 [details] [diff] [review]
Fix v1b; r=dholbert

[Triage Comment]
Approved for Beta 14 and the ESR. Please land as soon as possible.
Comment 27 Brian Birtles (:birtles) 2012-06-24 16:27:51 PDT
(In reply to Alex Keybl [:akeybl] from comment #26)
> Comment on attachment 625917 [details] [diff] [review]
> Fix v1b; r=dholbert
> 
> [Triage Comment]
> Approved for Beta 14 and the ESR. Please land as soon as possible.

Pushed:
https://hg.mozilla.org/releases/mozilla-esr10/rev/b9b7ef8c3830
https://hg.mozilla.org/releases/mozilla-beta/rev/500bb214b542
Comment 28 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-07-11 11:52:57 PDT
Does not reproduce with an ASAN debug build based off mozilla-aurora 2012-07-11. However, I'm not able to get an ASAN build working within the affected range so I'm not sure that this verification is trustworthy.

Note that the ASAN dependency means we won't be able to verify against Beta or ESR.

Note You need to log in before you can comment on or make changes to this bug.