Closed
Bug 752902
(CVE-2012-1951)
Opened 13 years ago
Closed 13 years ago
Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: inferno, Assigned: birtles)
References
Details
(5 keywords, Whiteboard: [asan][sg:high][advisory-tracking+][qa?])
Attachments
(4 files, 4 obsolete files)
393 bytes,
image/svg+xml
|
Details | |
927 bytes,
patch
|
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
birtles
:
checkin+
|
Details | Diff | Splinter Review |
1.31 KB,
patch
|
Details | Diff | Splinter Review | |
2.12 KB,
patch
|
Details | Diff | Splinter Review |
Affects latest Aurora, Trunk
=================================================================
==26824== ERROR: AddressSanitizer heap-use-after-free on address 0x7f6d5ecb0b90 at pc 0x7f6d8e48de39 bp 0x7ffff4b4ca70 sp 0x7ffff4b4ca68
READ of size 4 at 0x7f6d5ecb0b90 thread T0
#0 0x7f6d8e48de39 in nsSMILTimeValueSpec::IsEventBased() const firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:171
#1 0x7f6d8e473023 in nsSMILTimedElement::EndHasEventConditions() const firefox/aurora/content/smil/nsSMILTimedElement.cpp:2291
#2 0x7f6d8e45b1f7 in nsSMILTimedElement::GetNextInterval(nsSMILInterval const*, nsSMILInterval const*, nsSMILInstanceTime const*, nsSMILInterval&) const firefox/aurora/content/smil/nsSMILTimedElement.cpp:1696
#3 0x7f6d8e454302 in nsSMILTimedElement::UpdateCurrentInterval(bool) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1998
#4 0x7f6d8e4569f9 in nsSMILTimedElement::RemoveInstanceTimesForCreator(nsSMILTimeValueSpec const*, bool) firefox/aurora/content/smil/nsSMILTimedElement.cpp:484
#5 0x7f6d8e48c069 in nsSMILTimeValueSpec::UnregisterFromReferencedElement(mozilla::dom::Element*) firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:307
#6 0x7f6d8e48bcb2 in ~nsSMILTimeValueSpec firefox/aurora/content/smil/nsSMILTimeValueSpec.cpp:93
#7 0x7f6d8e481942 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:105
#8 0x7f6d8e46cf13 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106
#9 0x7f6d8e480913 in nsTArrayElementTraits<nsAutoPtr<nsSMILTimeValueSpec> >::Destruct(nsAutoPtr<nsSMILTimeValueSpec>*) firefox/aurora/../../dist/include/nsTArray.h:381
#10 0x7f6d8e480578 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242
#11 0x7f6d8e480007 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964
#12 0x7f6d8e46d03f in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::Clear() firefox/aurora/../../dist/include/nsTArray.h:975
#13 0x7f6d8e46825c in nsSMILTimedElement::ClearSpecs(nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>&, nsTArray<nsRefPtr<nsSMILInstanceTime>, nsTArrayDefaultAllocator>&, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1331
#14 0x7f6d8e4611a0 in nsSMILTimedElement::UnsetEndSpec(bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:904
#15 0x7f6d8e465f36 in nsSMILTimedElement::UnsetAttr(nsIAtom*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:854
#16 0x7f6d8e337423 in nsSVGAnimationElement::UnsetAttr(int, nsIAtom*, bool) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:411
#17 0x7f6d8a157d03 in nsGenericElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/base/src/nsGenericElement.cpp:2746
#18 0x7f6d8e2fd108 in nsSVGAnimateElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/svg/content/src/nsSVGAnimateElement.cpp:60
#19 0x7f6d8e9b9aca in nsIDOMElement_RemoveAttribute(JSContext*, unsigned int, JS::Value*) firefox/aurora/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3961
#20 0x7f6d97537821 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora/js/src/jscntxtinlines.h:314
#21 0x7f6d9749e1cd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora/js/src/jsinterp.cpp:2757
#22 0x7f6d9741e085 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora/js/src/jsinterp.cpp:475
#23 0x7f6d97537f46 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.cpp:535
#24 0x7f6d96e6d1d0 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.h:172
#25 0x7f6d9753e0ab in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) firefox/aurora/js/src/jsinterp.cpp:567
#26 0x7f6d96d15aff in JS_CallFunctionValue firefox/aurora/js/src/jsapi.cpp:5416
#27 0x7f6d8e7f6d29 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJSClass.cpp:1509
#28 0x7f6d8e79f328 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJS.cpp:617
#29 0x7f6d92af2800 in PrepareAndDispatch firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#30 0x7f6d92aeff97 in SharedStub firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
#31 0x7f6d8aad1759 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:818
#32 0x7f6d8aad2b78 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:875
#33 0x7f6d8ac5bdc7 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.h:170
#34 0x7f6d8ac4a1b6 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:218
#35 0x7f6d8ac47d0c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:346
#36 0x7f6d8ac4dbb4 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:679
#37 0x7f6d8854f2bf in DocumentViewerImpl::LoadComplete(unsigned int) firefox/aurora/layout/base/nsDocumentViewer.cpp:1071
#38 0x7f6d8f6477f3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) firefox/aurora/docshell/base/nsDocShell.cpp:6200
#39 0x7f6d8f63f601 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) firefox/aurora/docshell/base/nsDocShell.cpp:6031
#40 0x7f6d8f6407e5 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0
#41 0x7f6d8f73ff04 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:1384
#42 0x7f6d8f73d915 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:962
#43 0x7f6d8f736aa8 in nsDocLoader::DocLoaderIsEmpty(bool) firefox/aurora/uriloader/base/nsDocLoader.cpp:854
#44 0x7f6d8f73b0cc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/uriloader/base/nsDocLoader.cpp:736
#45 0x7f6d8f73cc3d in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0
#46 0x7f6d86e83279 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) firefox/aurora/netwerk/base/src/nsLoadGroup.cpp:731
#47 0x7f6d89f98714 in nsDocument::DoUnblockOnload() firefox/aurora/content/base/src/nsDocument.cpp:7278
#48 0x7f6d89f98191 in nsDocument::UnblockOnload(bool) firefox/aurora/content/base/src/nsDocument.cpp:7221
#49 0x7f6d89f48e94 in nsDocument::DispatchContentLoadedEvents() firefox/aurora/content/base/src/nsDocument.cpp:4271
#50 0x7f6d8a002c69 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() firefox/aurora/../../../dist/include/nsThreadUtils.h:345
#51 0x7f6d929e530e in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora/xpcom/threads/nsThread.cpp:657
#52 0x7f6d926733fd in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:245
#53 0x7f6d91a65146 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/aurora/ipc/glue/MessagePump.cpp:110
#54 0x7f6d92c9ca8a in MessageLoop::RunInternal() firefox/aurora/ipc/chromium/src/base/message_loop.cc:209
#55 0x7f6d92c9c8d3 in MessageLoop::RunHandler() firefox/aurora/ipc/chromium/src/base/message_loop.cc:202
#56 0x7f6d92c9c7b8 in MessageLoop::Run() firefox/aurora/ipc/chromium/src/base/message_loop.cc:176
#57 0x7f6d90fabbde in nsBaseAppShell::Run() firefox/aurora/widget/xpwidgets/nsBaseAppShell.cpp:191
#58 0x7f6d8fbd5c88 in nsAppStartup::Run() firefox/aurora/toolkit/components/startup/nsAppStartup.cpp:295
#59 0x7f6d86c63fb2 in XREMain::XRE_mainRun() firefox/aurora/toolkit/xre/nsAppRunner.cpp:3780
#60 0x7f6d86c6a112 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/aurora/toolkit/xre/nsAppRunner.cpp:3857
#61 0x7f6d86c6d5c8 in XRE_main firefox/aurora/toolkit/xre/nsAppRunner.cpp:3933
#62 0x40a7a3 in do_main(int, char**) firefox/aurora/browser/app/nsBrowserApp.cpp:190
#63 0x40832e in main firefox/aurora/browser/app/nsBrowserApp.cpp:277
0x7f6d5ecb0b90 is located 16 bytes inside of 128-byte region [0x7f6d5ecb0b80,0x7f6d5ecb0c00)
freed by thread T0 here:
#0 0x4a4272 in free ??:0
#1 0x7f6d9e6ad673 in moz_free firefox/aurora/memory/mozalloc/mozalloc.cpp:82
#2 0x7f6d8e48199f in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106
#3 0x7f6d8e46cf13 in ~nsAutoPtr firefox/aurora/../../dist/include/nsAutoPtr.h:106
#4 0x7f6d8e480913 in nsTArrayElementTraits<nsAutoPtr<nsSMILTimeValueSpec> >::Destruct(nsAutoPtr<nsSMILTimeValueSpec>*) firefox/aurora/../../dist/include/nsTArray.h:381
#5 0x7f6d8e480578 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242
#6 0x7f6d8e480007 in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964
#7 0x7f6d8e46d03f in nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>::Clear() firefox/aurora/../../dist/include/nsTArray.h:975
#8 0x7f6d8e46825c in nsSMILTimedElement::ClearSpecs(nsTArray<nsAutoPtr<nsSMILTimeValueSpec>, nsTArrayDefaultAllocator>&, nsTArray<nsRefPtr<nsSMILInstanceTime>, nsTArrayDefaultAllocator>&, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1331
#9 0x7f6d8e4611a0 in nsSMILTimedElement::UnsetEndSpec(bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:904
#10 0x7f6d8e465f36 in nsSMILTimedElement::UnsetAttr(nsIAtom*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:854
#11 0x7f6d8e337423 in nsSVGAnimationElement::UnsetAttr(int, nsIAtom*, bool) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:411
#12 0x7f6d8a157d03 in nsGenericElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/base/src/nsGenericElement.cpp:2746
#13 0x7f6d8e2fd108 in nsSVGAnimateElement::RemoveAttribute(nsAString_internal const&) firefox/aurora/content/svg/content/src/nsSVGAnimateElement.cpp:60
#14 0x7f6d8e9b9aca in nsIDOMElement_RemoveAttribute(JSContext*, unsigned int, JS::Value*) firefox/aurora/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3961
#15 0x7f6d97537821 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora/js/src/jscntxtinlines.h:314
#16 0x7f6d9749e1cd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora/js/src/jsinterp.cpp:2757
#17 0x7f6d9741e085 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora/js/src/jsinterp.cpp:475
#18 0x7f6d97537f46 in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.cpp:535
#19 0x7f6d96e6d1d0 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/aurora/js/src/jsinterp.h:172
#20 0x7f6d9753e0ab in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) firefox/aurora/js/src/jsinterp.cpp:567
#21 0x7f6d96d15aff in JS_CallFunctionValue firefox/aurora/js/src/jsapi.cpp:5416
#22 0x7f6d8e7f6d29 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJSClass.cpp:1509
#23 0x7f6d8e79f328 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) firefox/aurora/js/xpconnect/src/XPCWrappedJS.cpp:617
#24 0x7f6d92af2800 in PrepareAndDispatch firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#25 0x7f6d92aeff97 in SharedStub firefox/aurora/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
#26 0x7f6d8aad1759 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:818
#27 0x7f6d8aad2b78 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.cpp:875
#28 0x7f6d8ac5bdc7 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) firefox/aurora/content/events/src/nsEventListenerManager.h:170
#29 0x7f6d8ac4a1b6 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) firefox/aurora/content/events/src/nsEventDispatcher.cpp:218
previously allocated by thread T0 here:
#0 0x4a4332 in malloc ??:0
#1 0x7f6d9e6ad7c7 in moz_xmalloc firefox/aurora/memory/mozalloc/mozalloc.cpp:87
#2 0x7f6d8e4676ed in nsSMILTimedElement::SetBeginOrEndSpec(nsAString_internal const&, mozilla::dom::Element*, bool, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:1290
#3 0x7f6d8e461779 in nsSMILTimedElement::SetEndSpec(nsAString_internal const&, mozilla::dom::Element*, bool (*)(nsSMILInstanceTime*)) firefox/aurora/content/smil/nsSMILTimedElement.cpp:897
#4 0x7f6d8e461e32 in nsSMILTimedElement::SetAttr(nsIAtom*, nsAString_internal const&, nsAttrValue&, mozilla::dom::Element*, unsigned int*) firefox/aurora/content/smil/nsSMILTimedElement.cpp:816
#5 0x7f6d8e335a4d in nsSVGAnimationElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&) firefox/aurora/content/svg/content/src/nsSVGAnimationElement.cpp:360
#6 0x7f6d8a193883 in nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) firefox/aurora/content/base/src/nsGenericElement.cpp:5261
#7 0x7f6d8b68a3fb in nsXMLContentSink::AddAttributes(unsigned short const**, nsIContent*) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:1502
#8 0x7f6d8b67c81f in nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int, bool) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:1056
#9 0x7f6d8b67b02b in nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) firefox/aurora/content/xml/document/src/nsXMLContentSink.cpp:980
#10 0x7f6d8b67dd8d in non-virtual thunk to nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) firefox/aurora/modules/zlib/src/gzlib.c:0
#11 0x7f6d87c3f3d1 in nsExpatDriver::HandleStartElement(unsigned short const*, unsigned short const**) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:411
#12 0x7f6d87c582a7 in Driver_HandleStartElement(void*, unsigned short const*, unsigned short const**) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:95
#13 0x7f6d87d9c17a in doContent firefox/aurora/parser/expat/lib/xmlparse.c:2387
#14 0x7f6d87d81499 in contentProcessor firefox/aurora/parser/expat/lib/xmlparse.c:2043
#15 0x7f6d87d66c09 in doProlog firefox/aurora/parser/expat/lib/xmlparse.c:4024
#16 0x7f6d87d61b82 in prologProcessor firefox/aurora/parser/expat/lib/xmlparse.c:3758
#17 0x7f6d87dcf1f1 in prologInitProcessor firefox/aurora/parser/expat/lib/xmlparse.c:3575
#18 0x7f6d87d46a01 in MOZ_XML_Parse firefox/aurora/parser/expat/lib/xmlparse.c:1520
#19 0x7f6d87c51694 in nsExpatDriver::ParseBuffer(unsigned short const*, unsigned int, bool, unsigned int*) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:1020
#20 0x7f6d87c52a93 in nsExpatDriver::ConsumeToken(nsScanner&, bool&) firefox/aurora/parser/htmlparser/src/nsExpatDriver.cpp:1121
#21 0x7f6d87c54a62 in non-virtual thunk to nsExpatDriver::ConsumeToken(nsScanner&, bool&) firefox/aurora/modules/zlib/src/gzlib.c:0
#22 0x7f6d87ce9a2b in nsParser::Tokenize(bool) firefox/aurora/parser/htmlparser/src/nsParser.cpp:2275
==26824== ABORTING
Stats: 132M malloced (146M for red zones) by 322256 calls
Stats: 40M realloced by 18232 calls
Stats: 103M freed by 211052 calls
Stats: 0M really freed by 0 calls
Stats: 312M (79916 full pages) mmaped in 78 calls
mmaps by size class: 8:262128; 9:49146; 10:16380; 11:16376; 12:2048; 13:2048; 14:1536; 15:384; 16:512; 17:128; 18:96; 19:56; 20:16;
mallocs by size class: 8:245743; 9:42218; 10:13971; 11:14225; 12:2028; 13:1650; 14:1384; 15:271; 16:505; 17:105; 18:94; 19:49; 20:13;
frees by size class: 8:150073; 9:33717; 10:11296; 11:11665; 12:1405; 13:825; 14:1204; 15:230; 16:438; 17:92; 18:52; 19:45; 20:10;
rfrees by size class:
Stats: malloc large: 261 small slow: 1663
Shadow byte and word:
0x1fedabd96172: fd
0x1fedabd96170: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fedabd96150: fd fd fd fd fd fd fd fd
0x1fedabd96158: fd fd fd fd fd fd fd fd
0x1fedabd96160: fa fa fa fa fa fa fa fa
0x1fedabd96168: fa fa fa fa fa fa fa fa
=>0x1fedabd96170: fd fd fd fd fd fd fd fd
0x1fedabd96178: fd fd fd fd fd fd fd fd
0x1fedabd96180: fa fa fa fa fa fa fa fa
0x1fedabd96188: fa fa fa fa fa fa fa fa
0x1fedabd96190: fd fd fd fd fd fd fd fd
Updated•13 years ago
|
Comment 1•13 years ago
|
||
use-after-free in a destructor is probably hard to exploit (would there be time to cause something to be reallocated in the middle of killing things off?) but can't say it would be impossible.
Keywords: sec-high
Whiteboard: [asan] → [asan][sg:high]
Comment 2•13 years ago
|
||
Comment 3•13 years ago
|
||
Brian, do you have cycles available to take this?
Assignee | ||
Comment 4•13 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #3)
> Brian, do you have cycles available to take this?
I've been travelling so I haven't had a chance to fix it yet but I did have a chance to look at it. My guess it an extra auto update batcher at the end of UnsetEndSpec (and UnsetBeginSpec) would fix it.
I'll do it next Monday if that's ok?
Assignee | ||
Comment 5•13 years ago
|
||
This bug is reported on Win 7 64-bit. Can we cross-compile asan builds or is there some way to produce asan builds on windows?
Assignee: nobody → birtles
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•13 years ago
|
||
Update before the weekend: I have a two-line patch that fixes this but I suspect it's treating the symptoms and not the root cause. I want to look into this a bit more.
Assignee | ||
Comment 8•13 years ago
|
||
Here's the fix.
The issue is that in nsSMILTimedElement::ClearSpecs we destroy the array of nsSMILTimeValueSpec objects but their dtors may (in some cases of cyclic dependencies such as the attached test case) trigger callbacks to the same nsSMILTimedElement that is deleting them causing us to read the array where some of the objects have been deleted.
This patch unlinks the specs as a separate step so that if there are any callbacks, they happen before the objects get destroyed.
As an extra measure I've also batched updates so that the callbacks won't trigger an update (which is where we read the array) until after the array has been cleared. It also saves some busy work.
I've verified that the unlink step alone fixes the problem without the extra update-batching measure.
I've documented this in a follow-up patch.
Attachment #625539 -
Flags: review?(dholbert)
Assignee | ||
Comment 9•13 years ago
|
||
I've split the documentation into a separate patch:
* so as not to give any hints about how to exploit this in the interim before this ships
* to minimise the size of the original fix patch in case we want to land it on other branches
Attachment #625540 -
Flags: review?(dholbert)
Assignee | ||
Comment 10•13 years ago
|
||
The original test case, slightly simplified and turned into a crashtest.
Is there any point in landing this? Do we produce asan builds regularly and run crashtests with them?
Attachment #625542 -
Flags: review?(dholbert)
Assignee | ||
Comment 11•13 years ago
|
||
(In reply to Brian Birtles (:birtles) from comment #10)
> Is there any point in landing this? Do we produce asan builds regularly and
> run crashtests with them?
(That is to say, this "crash test" doesn't actually crash a regular build or have any noticeable side effects)
Assignee | ||
Comment 12•13 years ago
|
||
Sorry for the delay on this--my VM died and it took a long time to build a new image capable of producing asan builds.
Assignee | ||
Comment 13•13 years ago
|
||
Revise documentation
Attachment #625540 -
Attachment is obsolete: true
Attachment #625540 -
Flags: review?(dholbert)
Attachment #625543 -
Flags: review?(dholbert)
Comment 14•13 years ago
|
||
Comment on attachment 625539 [details] [diff] [review]
Proposed fix v1a
>+ PRUint32 count = aSpecs.Length();
>+ for (PRUint32 i = 0; i < count; ++i) {
>+ aSpecs[i]->Unlink();
>+ }
I'd drop 'count' there & just directly check 'aSpecs.Length()' in the loop condition. (It just returns the value of a member var, and I suspect it'll be inlined anyway, so there's no benefit to caching its return value.)
r=me with that
Attachment #625539 -
Flags: review?(dholbert) → review+
Comment 15•13 years ago
|
||
Comment on attachment 625542 [details] [diff] [review]
Test case as a crashtest
(In reply to Brian Birtles (:birtles) from comment #11)
> (In reply to Brian Birtles (:birtles) from comment #10)
> > Is there any point in landing this? Do we produce asan builds regularly and
> > run crashtests with them?
>
> (That is to say, this "crash test" doesn't actually crash a regular build or
> have any noticeable side effects)
I think it is worth landing, though it might be good to add a header comment mentioning ASAN & the fact that this never actually crashed.
That way, if we start running ASAN over our crashtests at some point in the future (which might be a good idea), we've got this in there as a regression test.
Plus, this is also useful as an "interesting" testcase for fuzzers to start with & tweak to spin off variants from. (I think some of our fuzzers use our test suites for that purpose.)
Attachment #625542 -
Flags: review?(dholbert) → review+
Updated•13 years ago
|
Attachment #625543 -
Flags: review?(dholbert) → review+
Comment 16•13 years ago
|
||
(In reply to Brian Birtles (:birtles) from comment #12)
> Sorry for the delay on this--my VM died and it took a long time to build a
> new image capable of producing asan builds.
No worries -- thanks for fixing it!
Assignee | ||
Comment 17•13 years ago
|
||
Address review feedback. Thanks Daniel!
Attachment #625539 -
Attachment is obsolete: true
Assignee | ||
Comment 18•13 years ago
|
||
Address review feedback
Attachment #625542 -
Attachment is obsolete: true
Assignee | ||
Comment 19•13 years ago
|
||
Rebase documentation patch off changes to fix patch.
Attachment #625543 -
Attachment is obsolete: true
Assignee | ||
Comment 20•13 years ago
|
||
Pushed fix to m-i:
https://hg.mozilla.org/integration/mozilla-inbound/rev/003306c4fe88
Comment 21•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status-firefox15:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
Assignee | ||
Updated•13 years ago
|
Attachment #625917 -
Flags: checkin+
Comment 22•13 years ago
|
||
I assume we need this patch on Aurora (Fx14), what about ESR-10?
status-firefox-esr10:
--- → ?
status-firefox14:
--- → affected
tracking-firefox-esr10:
--- → ?
tracking-firefox14:
--- → +
Assignee | ||
Comment 23•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #22)
> I assume we need this patch on Aurora (Fx14), what about ESR-10?
Although it seems difficult to exploit it would be nice to land this in ESR-10 so we can land the follow-up patches sooner (crashtest plus extra documentation).
Comment 24•13 years ago
|
||
Please request beta approval to land this in Firefox 14.
Assignee | ||
Comment 25•13 years ago
|
||
Comment on attachment 625917 [details] [diff] [review]
Fix v1b; r=dholbert
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:n/a
User impact if declined: Potential security exploit (reading free'd memory)
Fix Landed on Version: 15
Risk to taking this patch (and alternatives if risky): As yet undiscovered side-effects. Patch is only four lines so it should be minimal.
String or UUID changes made by this patch: None
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 474743?
User impact if declined: Potential security exploit (reading free'd memory)
Testing completed (on m-c, etc.): m-c, Aurora (landed 1 month ago)
Risk to taking this patch (and alternatives if risky): As yet undiscovered side-effects. Patch is only four lines so it should be minimal.
String or UUID changes made by this patch: none
Attachment #625917 -
Flags: approval-mozilla-esr10?
Attachment #625917 -
Flags: approval-mozilla-beta?
Comment 26•13 years ago
|
||
Comment on attachment 625917 [details] [diff] [review]
Fix v1b; r=dholbert
[Triage Comment]
Approved for Beta 14 and the ESR. Please land as soon as possible.
Attachment #625917 -
Flags: approval-mozilla-esr10?
Attachment #625917 -
Flags: approval-mozilla-esr10+
Attachment #625917 -
Flags: approval-mozilla-beta?
Attachment #625917 -
Flags: approval-mozilla-beta+
Assignee | ||
Comment 27•13 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #26)
> Comment on attachment 625917 [details] [diff] [review]
> Fix v1b; r=dholbert
>
> [Triage Comment]
> Approved for Beta 14 and the ESR. Please land as soon as possible.
Pushed:
https://hg.mozilla.org/releases/mozilla-esr10/rev/b9b7ef8c3830
https://hg.mozilla.org/releases/mozilla-beta/rev/500bb214b542
Assignee | ||
Updated•13 years ago
|
Target Milestone: mozilla15 → mozilla14
Updated•13 years ago
|
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
Comment 28•13 years ago
|
||
Does not reproduce with an ASAN debug build based off mozilla-aurora 2012-07-11. However, I'm not able to get an ASAN build working within the affected range so I'm not sure that this verification is trustworthy.
Note that the ASAN dependency means we won't be able to verify against Beta or ESR.
Whiteboard: [asan][sg:high][advisory-tracking+] → [asan][sg:high][advisory-tracking+][qa?]
Updated•13 years ago
|
Alias: CVE-2012-1951
Updated•13 years ago
|
Group: core-security
Updated•12 years ago
|
Flags: sec-bounty+
Updated•8 years ago
|
Keywords: csectype-uaf
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•