Closed Bug 752902 (CVE-2012-1951) Opened 13 years ago Closed 13 years ago

Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14
Tracking Flags:
Tracking Status
firefox14 + fixed
firefox15 + fixed
firefox-esr10 14+ fixed

People

(Reporter: inferno, Assigned: birtles)

References

Details

(5 keywords, Whiteboard: [asan][sg:high][advisory-tracking+][qa?])

Attachments

(4 files, 4 obsolete files)

Testcase
393 bytes, image/svg+xml
Details
Fix v1b; r=dholbert
927 bytes, patch
akeybl
: approval-mozilla-beta+
akeybl
: approval-mozilla-esr10+
birtles
: checkin+
Details | Diff | Splinter Review
Crashtest patch; r=dholbert [to be landed after the fix has shipped]
1.31 KB, patch
Details | Diff | Splinter Review
Documentation for fix v1c; r=dholbert [to be landed after fix has shipped]
2.12 KB, patch
Details | Diff | Splinter Review
Attached image Testcase
Affects latest Aurora, Trunk ================================================================= ==26824== ERROR: AddressSanitizer heap-use-after-free on address 0x7f6d5ecb0b90 at pc 0x7f6d8e48de39 bp 0x7ffff4b4ca70 sp 0x7ffff4b4ca68 READ of size 4 at 0x7f6d5ecb0b90 thread T0 #0 0x7f6d8e48de39 in nsSMILTimeValueSpec::IsEventBased() const firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:171 #1 0x7f6d8e473023 in nsSMILTimedElement::EndHasEventConditions() const firefox/aurora/content/smil/nsSMILTimedElement.cpp:2291 #2 0x7f6d8e45b1f7 in nsSMILTimedElement::GetNextInterval(nsSMILInterval const*, nsSMILInterval const*, nsSMILInstanceTime const*, nsSMILInterval&) const firefox/aurora/content/smil/nsSMILTimedElement.cpp:1696 #3 0x7f6d8e454302 in nsSMILTimedElement::UpdateCurrentInterval(bool) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1998 #4 0x7f6d8e4569f9 in nsSMILTimedElement::RemoveInstanceTimesForCreator(nsSMILTimeValueSpec const*, bool) firefox/aurora/content/smil/nsSMILTimedElement.cpp:484 #5 0x7f6d8e48c069 in nsSMILTimeValueSpec::UnregisterFromReferencedElement(mozilla::dom::Element*) firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:307 #6 0x7f6d8e48bcb2 in ~nsSMILTimeValueSpec firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:93 #7 0x7f6d8e481942 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:105 #8 0x7f6d8e46cf13 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106 #9 0x7f6d8e480913 in nsTArrayElementTraits<nsAutoPtr<nsSMILTimeValueSpec> >::Destruct(nsAutoPtr<nsSMILTimeValueSpec>*) firefox/aurora/../../dist/include/nsTArray.h:381 #10 0x7f6d8e480578 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242 #11 0x7f6d8e480007 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964 #12 0x7f6d8e46d03f in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::Clear() firefox/aurora/../../dist/include/nsTArray.h:975 #13 0x7f6d8e46825c in nsSMILTimedElement::ClearSpecs(nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>&, nsTArray<nsRefPtr<nsSMILInstanceTime>, nsTArrayDefaultAllocator>&, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1331 #14 0x7f6d8e4611a0 in nsSMILTimedElement::UnsetEndSpec(bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:904 #15 0x7f6d8e465f36 in nsSMILTimedElement::UnsetAttr(nsIAtom*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:854 #16 0x7f6d8e337423 in nsSVGAnimationElement::UnsetAttr(int, nsIAtom*, bool) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:411 #17 0x7f6d8a157d03 in nsGenericElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/base/src/nsGenericElement.cpp:2746 #18 0x7f6d8e2fd108 in nsSVGAnimateElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/svg/content/src/nsSVGAnimateElement.cpp:60 #19 0x7f6d8e9b9aca in nsIDOMElement_RemoveAttribute(JSContext*, unsigned int, JS::Value*) firefox/aurora/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3961 #20 0x7f6d97537821 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora/js/src/jscntxtinlines.h:314 #21 0x7f6d9749e1cd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora/js/src/jsinterp.cpp:2757 #22 0x7f6d9741e085 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora/js/src/jsinterp.cpp:475 #23 0x7f6d97537f46 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.cpp:535 #24 0x7f6d96e6d1d0 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.h:172 #25 0x7f6d9753e0ab in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) firefox/aurora/js/src/jsinterp.cpp:567 #26 0x7f6d96d15aff in JS_CallFunctionValue firefox/aurora/js/src/jsapi.cpp:5416 #27 0x7f6d8e7f6d29 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJSClass.cpp:1509 #28 0x7f6d8e79f328 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJS.cpp:617 #29 0x7f6d92af2800 in PrepareAndDispatch firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153 #30 0x7f6d92aeff97 in SharedStub firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0 #31 0x7f6d8aad1759 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:818 #32 0x7f6d8aad2b78 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:875 #33 0x7f6d8ac5bdc7 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.h:170 #34 0x7f6d8ac4a1b6 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:218 #35 0x7f6d8ac47d0c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:346 #36 0x7f6d8ac4dbb4 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:679 #37 0x7f6d8854f2bf in DocumentViewerImpl::LoadComplete(unsigned int) firefox/aurora/layout/base/nsDocumentViewer.cpp:1071 #38 0x7f6d8f6477f3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) firefox/aurora/docshell/base/nsDocShell.cpp:6200 #39 0x7f6d8f63f601 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) firefox/aurora/docshell/base/nsDocShell.cpp:6031 #40 0x7f6d8f6407e5 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0 #41 0x7f6d8f73ff04 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:1384 #42 0x7f6d8f73d915 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:962 #43 0x7f6d8f736aa8 in nsDocLoader::DocLoaderIsEmpty(bool) firefox/aurora/uriloader/base/nsDocLoader.cpp:854 #44 0x7f6d8f73b0cc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:736 #45 0x7f6d8f73cc3d in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0 #46 0x7f6d86e83279 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/netwerk/base/src/nsLoadGroup.cpp:731 #47 0x7f6d89f98714 in nsDocument::DoUnblockOnload() firefox/aurora/content/base/src/nsDocument.cpp:7278 #48 0x7f6d89f98191 in nsDocument::UnblockOnload(bool) firefox/aurora/content/base/src/nsDocument.cpp:7221 #49 0x7f6d89f48e94 in nsDocument::DispatchContentLoadedEvents() firefox/aurora/content/base/src/nsDocument.cpp:4271 #50 0x7f6d8a002c69 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() firefox/aurora/../../../dist/include/nsThreadUtils.h:345 #51 0x7f6d929e530e in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora/xpcom/threads/nsThread.cpp:657 #52 0x7f6d926733fd in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:245 #53 0x7f6d91a65146 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/aurora/ipc/glue/MessagePump.cpp:110 #54 0x7f6d92c9ca8a in MessageLoop::RunInternal() firefox/aurora/ipc/chromium/src/base/message_loop.cc:209 #55 0x7f6d92c9c8d3 in MessageLoop::RunHandler() firefox/aurora/ipc/chromium/src/base/message_loop.cc:202 #56 0x7f6d92c9c7b8 in MessageLoop::Run() firefox/aurora/ipc/chromium/src/base/message_loop.cc:176 #57 0x7f6d90fabbde in nsBaseAppShell::Run() firefox/aurora/widget/xpwidgets/nsBaseAppShell.cpp:191 #58 0x7f6d8fbd5c88 in nsAppStartup::Run() firefox/aurora/toolkit/components/startup/nsAppStartup.cpp:295 #59 0x7f6d86c63fb2 in XREMain::XRE_mainRun() firefox/aurora/toolkit/xre/nsAppRunner.cpp:3780 #60 0x7f6d86c6a112 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/aurora/toolkit/xre/nsAppRunner.cpp:3857 #61 0x7f6d86c6d5c8 in XRE_main firefox/aurora/toolkit/xre/nsAppRunner.cpp:3933 #62 0x40a7a3 in do_main(int, char**) firefox/aurora/browser/app/nsBrowserApp.cpp:190 #63 0x40832e in main firefox/aurora/browser/app/nsBrowserApp.cpp:277 0x7f6d5ecb0b90 is located 16 bytes inside of 128-byte region [0x7f6d5ecb0b80,0x7f6d5ecb0c00) freed by thread T0 here: #0 0x4a4272 in free ??:0 #1 0x7f6d9e6ad673 in moz_free firefox/aurora/memory/mozalloc/mozalloc.cpp:82 #2 0x7f6d8e48199f in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106 #3 0x7f6d8e46cf13 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106 #4 0x7f6d8e480913 in nsTArrayElementTraits<nsAutoPtr<nsSMILTimeValueSpec> >::Destruct(nsAutoPtr<nsSMILTimeValueSpec>*) firefox/aurora/../../dist/include/nsTArray.h:381 #5 0x7f6d8e480578 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242 #6 0x7f6d8e480007 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964 #7 0x7f6d8e46d03f in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::Clear() firefox/aurora/../../dist/include/nsTArray.h:975 #8 0x7f6d8e46825c in nsSMILTimedElement::ClearSpecs(nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>&, nsTArray<nsRefPtr<nsSMILInstanceTime>, nsTArrayDefaultAllocator>&, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1331 #9 0x7f6d8e4611a0 in nsSMILTimedElement::UnsetEndSpec(bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:904 #10 0x7f6d8e465f36 in nsSMILTimedElement::UnsetAttr(nsIAtom*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:854 #11 0x7f6d8e337423 in nsSVGAnimationElement::UnsetAttr(int, nsIAtom*, bool) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:411 #12 0x7f6d8a157d03 in nsGenericElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/base/src/nsGenericElement.cpp:2746 #13 0x7f6d8e2fd108 in nsSVGAnimateElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/svg/content/src/nsSVGAnimateElement.cpp:60 #14 0x7f6d8e9b9aca in nsIDOMElement_RemoveAttribute(JSContext*, unsigned int, JS::Value*) firefox/aurora/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3961 #15 0x7f6d97537821 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora/js/src/jscntxtinlines.h:314 #16 0x7f6d9749e1cd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora/js/src/jsinterp.cpp:2757 #17 0x7f6d9741e085 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora/js/src/jsinterp.cpp:475 #18 0x7f6d97537f46 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.cpp:535 #19 0x7f6d96e6d1d0 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.h:172 #20 0x7f6d9753e0ab in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) firefox/aurora/js/src/jsinterp.cpp:567 #21 0x7f6d96d15aff in JS_CallFunctionValue firefox/aurora/js/src/jsapi.cpp:5416 #22 0x7f6d8e7f6d29 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJSClass.cpp:1509 #23 0x7f6d8e79f328 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJS.cpp:617 #24 0x7f6d92af2800 in PrepareAndDispatch firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153 #25 0x7f6d92aeff97 in SharedStub firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0 #26 0x7f6d8aad1759 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:818 #27 0x7f6d8aad2b78 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:875 #28 0x7f6d8ac5bdc7 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.h:170 #29 0x7f6d8ac4a1b6 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:218 previously allocated by thread T0 here: #0 0x4a4332 in malloc ??:0 #1 0x7f6d9e6ad7c7 in moz_xmalloc firefox/aurora/memory/mozalloc/mozalloc.cpp:87 #2 0x7f6d8e4676ed in nsSMILTimedElement::SetBeginOrEndSpec(nsAString_internal const&, mozilla::dom::Element*, bool, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1290 #3 0x7f6d8e461779 in nsSMILTimedElement::SetEndSpec(nsAString_internal const&, mozilla::dom::Element*, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:897 #4 0x7f6d8e461e32 in nsSMILTimedElement::SetAttr(nsIAtom*, nsAString_internal const&, nsAttrValue&, mozilla::dom::Element*, unsigned int*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:816 #5 0x7f6d8e335a4d in nsSVGAnimationElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:360 #6 0x7f6d8a193883 in nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) firefox/aurora/content/base/src/nsGenericElement.cpp:5261 #7 0x7f6d8b68a3fb in nsXMLContentSink::AddAttributes(unsigned short const**, nsIContent*) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:1502 #8 0x7f6d8b67c81f in nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int, bool) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:1056 #9 0x7f6d8b67b02b in nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:980 #10 0x7f6d8b67dd8d in non-virtual thunk to nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0 #11 0x7f6d87c3f3d1 in nsExpatDriver::HandleStartElement(unsigned short const*, unsigned short const**) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:411 #12 0x7f6d87c582a7 in Driver_HandleStartElement(void*, unsigned short const*, unsigned short const**) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:95 #13 0x7f6d87d9c17a in doContent firefox/aurora/parser/expat/lib/xmlparse.c:2387 #14 0x7f6d87d81499 in contentProcessor firefox/aurora/parser/expat/lib/xmlparse.c:2043 #15 0x7f6d87d66c09 in doProlog firefox/aurora/parser/expat/lib/xmlparse.c:4024 #16 0x7f6d87d61b82 in prologProcessor firefox/aurora/parser/expat/lib/xmlparse.c:3758 #17 0x7f6d87dcf1f1 in prologInitProcessor firefox/aurora/parser/expat/lib/xmlparse.c:3575 #18 0x7f6d87d46a01 in MOZ_XML_Parse firefox/aurora/parser/expat/lib/xmlparse.c:1520 #19 0x7f6d87c51694 in nsExpatDriver::ParseBuffer(unsigned short const*, unsigned int, bool, unsigned int*) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:1020 #20 0x7f6d87c52a93 in nsExpatDriver::ConsumeToken(nsScanner&, bool&) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:1121 #21 0x7f6d87c54a62 in non-virtual thunk to nsExpatDriver::ConsumeToken(nsScanner&, bool&) firefox/aurora/modules/zlib/src/gzlib.c:0 #22 0x7f6d87ce9a2b in nsParser::Tokenize(bool) firefox/aurora/parser/htmlparser/src/nsParser.cpp:2275 ==26824== ABORTING Stats: 132M malloced (146M for red zones) by 322256 calls Stats: 40M realloced by 18232 calls Stats: 103M freed by 211052 calls Stats: 0M really freed by 0 calls Stats: 312M (79916 full pages) mmaped in 78 calls mmaps by size class: 8:262128; 9:49146; 10:16380; 11:16376; 12:2048; 13:2048; 14:1536; 15:384; 16:512; 17:128; 18:96; 19:56; 20:16; mallocs by size class: 8:245743; 9:42218; 10:13971; 11:14225; 12:2028; 13:1650; 14:1384; 15:271; 16:505; 17:105; 18:94; 19:49; 20:13; frees by size class: 8:150073; 9:33717; 10:11296; 11:11665; 12:1405; 13:825; 14:1204; 15:230; 16:438; 17:92; 18:52; 19:45; 20:10; rfrees by size class: Stats: malloc large: 261 small slow: 1663 Shadow byte and word: 0x1fedabd96172: fd 0x1fedabd96170: fd fd fd fd fd fd fd fd More shadow bytes: 0x1fedabd96150: fd fd fd fd fd fd fd fd 0x1fedabd96158: fd fd fd fd fd fd fd fd 0x1fedabd96160: fa fa fa fa fa fa fa fa 0x1fedabd96168: fa fa fa fa fa fa fa fa =>0x1fedabd96170: fd fd fd fd fd fd fd fd 0x1fedabd96178: fd fd fd fd fd fd fd fd 0x1fedabd96180: fa fa fa fa fa fa fa fa 0x1fedabd96188: fa fa fa fa fa fa fa fa 0x1fedabd96190: fd fd fd fd fd fd fd fd
Severity: normal → critical
Component: General → SVG
Keywords: crash, testcase
Product: Firefox → Core
QA Contact: general → general
Whiteboard: [asan]
use-after-free in a destructor is probably hard to exploit (would there be time to cause something to be reallocated in the middle of killing things off?) but can't say it would be impossible.
Keywords: sec-high
Whiteboard: [asan] → [asan][sg:high]
Brian, do you have cycles available to take this?
(In reply to Daniel Holbert [:dholbert] from comment #3) > Brian, do you have cycles available to take this? I've been travelling so I haven't had a chance to fix it yet but I did have a chance to look at it. My guess it an extra auto update batcher at the end of UnsetEndSpec (and UnsetBeginSpec) would fix it. I'll do it next Monday if that's ok?
This bug is reported on Win 7 64-bit. Can we cross-compile asan builds or is there some way to produce asan builds on windows?
Assignee: nobody → birtles
Status: NEW → ASSIGNED
Sorry. Wrong platform in there.
OS: Windows 7 → Linux
Update before the weekend: I have a two-line patch that fixes this but I suspect it's treating the symptoms and not the root cause. I want to look into this a bit more.
Attached patch Proposed fix v1a (obsolete) — Splinter Review
Here's the fix. The issue is that in nsSMILTimedElement::ClearSpecs we destroy the array of nsSMILTimeValueSpec objects but their dtors may (in some cases of cyclic dependencies such as the attached test case) trigger callbacks to the same nsSMILTimedElement that is deleting them causing us to read the array where some of the objects have been deleted. This patch unlinks the specs as a separate step so that if there are any callbacks, they happen before the objects get destroyed. As an extra measure I've also batched updates so that the callbacks won't trigger an update (which is where we read the array) until after the array has been cleared. It also saves some busy work. I've verified that the unlink step alone fixes the problem without the extra update-batching measure. I've documented this in a follow-up patch.
Attachment #625539 - Flags: review?(dholbert)
I've split the documentation into a separate patch: * so as not to give any hints about how to exploit this in the interim before this ships * to minimise the size of the original fix patch in case we want to land it on other branches
Attachment #625540 - Flags: review?(dholbert)
Attached patch Test case as a crashtest (obsolete) — Splinter Review
The original test case, slightly simplified and turned into a crashtest. Is there any point in landing this? Do we produce asan builds regularly and run crashtests with them?
Attachment #625542 - Flags: review?(dholbert)
(In reply to Brian Birtles (:birtles) from comment #10) > Is there any point in landing this? Do we produce asan builds regularly and > run crashtests with them? (That is to say, this "crash test" doesn't actually crash a regular build or have any noticeable side effects)
Sorry for the delay on this--my VM died and it took a long time to build a new image capable of producing asan builds.
Revise documentation
Attachment #625540 - Attachment is obsolete: true
Attachment #625540 - Flags: review?(dholbert)
Attachment #625543 - Flags: review?(dholbert)
Comment on attachment 625539 [details] [diff] [review] Proposed fix v1a >+ PRUint32 count = aSpecs.Length(); >+ for (PRUint32 i = 0; i < count; ++i) { >+ aSpecs[i]->Unlink(); >+ } I'd drop 'count' there & just directly check 'aSpecs.Length()' in the loop condition. (It just returns the value of a member var, and I suspect it'll be inlined anyway, so there's no benefit to caching its return value.) r=me with that
Attachment #625539 - Flags: review?(dholbert) → review+
Comment on attachment 625542 [details] [diff] [review] Test case as a crashtest (In reply to Brian Birtles (:birtles) from comment #11) > (In reply to Brian Birtles (:birtles) from comment #10) > > Is there any point in landing this? Do we produce asan builds regularly and > > run crashtests with them? > > (That is to say, this "crash test" doesn't actually crash a regular build or > have any noticeable side effects) I think it is worth landing, though it might be good to add a header comment mentioning ASAN & the fact that this never actually crashed. That way, if we start running ASAN over our crashtests at some point in the future (which might be a good idea), we've got this in there as a regression test. Plus, this is also useful as an "interesting" testcase for fuzzers to start with & tweak to spin off variants from. (I think some of our fuzzers use our test suites for that purpose.)
Attachment #625542 - Flags: review?(dholbert) → review+
Attachment #625543 - Flags: review?(dholbert) → review+
(In reply to Brian Birtles (:birtles) from comment #12) > Sorry for the delay on this--my VM died and it took a long time to build a > new image capable of producing asan builds. No worries -- thanks for fixing it!
Address review feedback. Thanks Daniel!
Attachment #625539 - Attachment is obsolete: true
Address review feedback
Attachment #625542 - Attachment is obsolete: true
Rebase documentation patch off changes to fix patch.
Attachment #625543 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/003306c4fe88
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status-firefox15: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
Attachment #625917 - Flags: checkin+
I assume we need this patch on Aurora (Fx14), what about ESR-10?
status-firefox-esr10: --- → ?
status-firefox14: --- → affected
tracking-firefox-esr10: --- → ?
tracking-firefox14: --- → +
(In reply to Daniel Veditz [:dveditz] from comment #22) > I assume we need this patch on Aurora (Fx14), what about ESR-10? Although it seems difficult to exploit it would be nice to land this in ESR-10 so we can land the follow-up patches sooner (crashtest plus extra documentation).
Please request beta approval to land this in Firefox 14.
status-firefox-esr10: ?affected
tracking-firefox-esr10: ?14+
tracking-firefox15: --- → +
Comment on attachment 625917 [details] [diff] [review] Fix v1b; r=dholbert [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration:n/a User impact if declined: Potential security exploit (reading free'd memory) Fix Landed on Version: 15 Risk to taking this patch (and alternatives if risky): As yet undiscovered side-effects. Patch is only four lines so it should be minimal. String or UUID changes made by this patch: None See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. [Approval Request Comment] Bug caused by (feature/regressing bug #): 474743? User impact if declined: Potential security exploit (reading free'd memory) Testing completed (on m-c, etc.): m-c, Aurora (landed 1 month ago) Risk to taking this patch (and alternatives if risky): As yet undiscovered side-effects. Patch is only four lines so it should be minimal. String or UUID changes made by this patch: none
Attachment #625917 - Flags: approval-mozilla-esr10?
Attachment #625917 - Flags: approval-mozilla-beta?
Comment on attachment 625917 [details] [diff] [review] Fix v1b; r=dholbert [Triage Comment] Approved for Beta 14 and the ESR. Please land as soon as possible.
Attachment #625917 - Flags: approval-mozilla-esr10?
Attachment #625917 - Flags: approval-mozilla-esr10+
Attachment #625917 - Flags: approval-mozilla-beta?
Attachment #625917 - Flags: approval-mozilla-beta+
(In reply to Alex Keybl [:akeybl] from comment #26) > Comment on attachment 625917 [details] [diff] [review] > Fix v1b; r=dholbert > > [Triage Comment] > Approved for Beta 14 and the ESR. Please land as soon as possible. Pushed: https://hg.mozilla.org/releases/mozilla-esr10/rev/b9b7ef8c3830 https://hg.mozilla.org/releases/mozilla-beta/rev/500bb214b542
status-firefox-esr10: affectedfixed
status-firefox14: affectedfixed
Target Milestone: mozilla15 → mozilla14
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
Does not reproduce with an ASAN debug build based off mozilla-aurora 2012-07-11. However, I'm not able to get an ASAN build working within the affected range so I'm not sure that this verification is trustworthy. Note that the ASAN dependency means we won't be able to verify against Beta or ESR.
Whiteboard: [asan][sg:high][advisory-tracking+] → [asan][sg:high][advisory-tracking+][qa?]
Alias: CVE-2012-1951
Depends on: 774028
Group: core-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: