Closed
Bug 769303
(CVE-2012-1974)
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in gfxTextRun::CanBreakLineBefore
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
People
(Reporter: inferno, Assigned: jfkthame)
References
Details
(5 keywords, Whiteboard: [asan][advisory-tracking+][qa-])
Attachments
(7 files)
|
667 bytes,
text/html
|
Details | |
|
18.07 KB,
text/html
|
Details | |
|
5.91 KB,
patch
|
Details | Diff | Splinter Review | |
|
527 bytes,
text/html
|
Details | |
|
6.10 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
|
6.20 KB,
patch
|
jfkthame
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
6.27 KB,
patch
|
jfkthame
:
review+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
Reproduces on 20120627175514
http://hg.mozilla.org/mozilla-central/rev/d254c07f3301
Crash and free stacks look different from https://bugzilla.mozilla.org/show_bug.cgi?id=767765
=================================================================
==22134== ERROR: AddressSanitizer heap-use-after-free on address 0x7f3bb2655488 at pc 0x7f3bd8f94d3d bp 0x7fffa294c730 sp 0x7fffa294c728
READ of size 8 at 0x7f3bb2655488 thread T0
#0 0x7f3bd8f94d3d in gfxTextRun::CanBreakLineBefore(unsigned int) firefox/src/modules/zlib/src/inffast.c:0
#1 0x7f3bd8f90835 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6644
#2 0x7f3bd8f965c8 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6746
#3 0x7f3bd8a1f7b4 in nsBlockFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsBlockFrame.cpp:754
#4 0x7f3bd8b99595 in nsFrame::ShrinkWidthToFit(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3935
#5 0x7f3bd8b1270a in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) firefox/src/layout/generic/nsContainerFrame.cpp:860
#6 0x7f3bd8b94d8e in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) firefox/src/layout/generic/nsFrame.cpp:3780
#7 0x7f3bd8ac780d in FloatMarginWidth(nsHTMLReflowState const&, int, nsIFrame*, nsCSSOffsetState const&) firefox/src/layout/generic/nsBlockReflowState.cpp:562
#8 0x7f3bd8ac0ff2 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) firefox/src/layout/generic/nsBlockReflowState.cpp:608
#9 0x7f3bd8abf61b in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) firefox/src/layout/generic/nsBlockReflowState.cpp:503
#10 0x7f3bd8dbc403 in nsLineLayout::AddFloat(nsIFrame*, int) firefox/src/layout/generic/nsLineLayout.h:195
#11 0x7f3bd8db530b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) firefox/src/layout/generic/nsLineLayout.cpp:868
#12 0x7f3bd8a6fe3f in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) firefox/src/layout/generic/nsBlockFrame.cpp:3834
#13 0x7f3bd8a6989a in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) firefox/src/layout/generic/nsBlockFrame.cpp:3630
#14 0x7f3bd8a5c317 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) firefox/src/layout/generic/nsBlockFrame.cpp:3482
#15 0x7f3bd8a4accc in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) firefox/src/layout/generic/nsBlockFrame.cpp:2570
#16 0x7f3bd8a30131 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) firefox/src/layout/generic/nsBlockFrame.cpp:2020
#17 0x7f3bd8a23bcf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsBlockFrame.cpp:1069
#18 0x7f3bd8b136a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) firefox/src/layout/generic/nsContainerFrame.cpp:906
#19 0x7f3bd8ce39a7 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsCanvasFrame.cpp:429
#20 0x7f3bd8b136a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) firefox/src/layout/generic/nsContainerFrame.cpp:906
#21 0x7f3bd8c5d74e in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) firefox/src/layout/generic/nsGfxScrollFrame.cpp:517
#22 0x7f3bd8c62ffa in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) firefox/src/layout/generic/nsGfxScrollFrame.cpp:617
#23 0x7f3bd8c6731f in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsGfxScrollFrame.cpp:858
#24 0x7f3bd8b136a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) firefox/src/layout/generic/nsContainerFrame.cpp:906
#25 0x7f3bd903bea1 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsViewportFrame.cpp:200
#26 0x7f3bd8794ca6 in PresShell::DoReflow(nsIFrame*, bool) firefox/src/layout/base/nsPresShell.cpp:7383
#27 0x7f3bd87c26ad in PresShell::ProcessReflowCommands(bool) firefox/src/layout/base/nsPresShell.cpp:7524
#28 0x7f3bd87c0dbd in PresShell::FlushPendingNotifications(mozFlushType) firefox/src/layout/base/nsPresShell.cpp:3852
#29 0x7f3bda01773e in nsDocument::FlushPendingNotifications(mozFlushType) firefox/src/content/base/src/nsDocument.cpp:6296
#30 0x7f3bdc20db5a in nsGlobalWindow::FlushPendingNotifications(mozFlushType) firefox/src/dom/base/nsGlobalWindow.cpp:9763
#31 0x7f3bdc24133a in nsGlobalWindow::ScrollBy(int, int) firefox/src/dom/base/nsGlobalWindow.cpp:5452
#32 0x7f3be353289a in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:161
#33 0x7f3bdee9e9db in CallMethodHelper::Call() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:2405
#34 0x7f3bdef05db4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
#35 0x7f3be88569dd in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/src/js/src/jscntxtinlines.h:400
#36 0x7f3be87cabbd in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2437
#37 0x7f3be8750397 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:267
#38 0x7f3be88637ed in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:455
#39 0x7f3be88654f0 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:492
#40 0x7f3be8094c46 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5371
#41 0x7f3be8096b6c in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5408
#42 0x7f3bdc0fbd1a in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1463
#43 0x7f3bdc29e18e in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9057
#44 0x7f3bdc25e272 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9321
#45 0x7f3bdc29c39b in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:9593
#46 0x7f3be346f0e2 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:474
#47 0x7f3be3470d1c in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:558
#48 0x7f3be34333d3 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:625
#49 0x7f3be30c242d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
#50 0x7f3be221fec6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82
#51 0x7f3be36e5bca in MessageLoop::RunInternal() firefox/src/ipc/chromium/src/base/message_loop.cc:209
#52 0x7f3be36e5a13 in MessageLoop::RunHandler() firefox/src/ipc/chromium/src/base/message_loop.cc:202
#53 0x7f3be36e58f8 in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176
#54 0x7f3be175d9ae in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165
#55 0x7f3be03a7dc8 in nsAppStartup::Run() firefox/src/toolkit/components/startup/nsAppStartup.cpp:256
#56 0x7f3bd6d8d6a7 in XREMain::XRE_mainRun() firefox/src/toolkit/xre/nsAppRunner.cpp:3786
#57 0x7f3bd6d94062 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3863
#58 0x7f3bd6d9751b in XRE_main firefox/src/toolkit/xre/nsAppRunner.cpp:3939
#59 0x40a91f in do_main(int, char**) firefox/src/browser/app/nsBrowserApp.cpp:160
#60 0x40834d in main firefox/src/browser/app/nsBrowserApp.cpp:330
#61 0x7f3bf15eac4d in ?? ??:0
0x7f3bb2655488 is located 8 bytes inside of 580-byte region [0x7f3bb2655480,0x7f3bb26556c4)
freed by thread T0 here:
#0 0x4a2ed2 in free ??:0
#1 0x7f3bee4785c3 in moz_free firefox/src/memory/mozalloc/mozalloc.cpp:49
#2 0x7f3bd902be63 in gfxTextRun::operator delete(void*) firefox/src/gfx/thebes/gfxFont.h:2335
#3 0x7f3be3a5bdd8 in ~gfxTextRun firefox/src/gfx/thebes/gfxFont.cpp:4344
#4 0x7f3bd8f1c1de in nsTextFrame::ClearTextRun(nsTextFrame*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:4263
#5 0x7f3bd8f18068 in BuildTextRunsScanner::AssignTextRun(gfxTextRun*, float) firefox/src/layout/generic/nsTextFrameThebes.cpp:2359
#6 0x7f3bd8f07dd8 in BuildTextRunsScanner::BuildTextRunForFrames(void*) firefox/src/layout/generic/nsTextFrameThebes.cpp:2021
#7 0x7f3bd8efe01d in BuildTextRunsScanner::FlushFrames(bool, bool) firefox/src/layout/generic/nsTextFrameThebes.cpp:1372
#8 0x7f3bd8f21528 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:1301
#9 0x7f3bd8f1d1a4 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) firefox/src/layout/generic/nsTextFrameThebes.cpp:2391
#10 0x7f3bd8f8f6c8 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6594
#11 0x7f3bd8f965c8 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6746
#12 0x7f3bd8b10bf5 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) firefox/src/layout/generic/nsContainerFrame.cpp:813
#13 0x7f3bd8b23b06 in nsFirstLetterFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsFirstLetterFrame.cpp:122
#14 0x7f3bd86b8a1b in nsLayoutUtils::MinWidthFromInline(nsIFrame*, nsRenderingContext*) firefox/src/layout/base/nsLayoutUtils.cpp:3009
#15 0x7f3bd8b23f38 in nsFirstLetterFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsFirstLetterFrame.cpp:137
#16 0x7f3bd86a5453 in nsLayoutUtils::IntrinsicForContainer(nsRenderingContext*, nsIFrame*, nsLayoutUtils::IntrinsicWidthType) firefox/src/layout/base/nsLayoutUtils.cpp:2441
#17 0x7f3bd8b8f953 in nsIFrame::InlineMinWidthData::ForceBreak(nsRenderingContext*) firefox/src/layout/generic/nsFrame.cpp:3597
#18 0x7f3bd8b8ec67 in nsIFrame::InlineMinWidthData::OptionallyBreak(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3622
#19 0x7f3bd8f919bc in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6698
#20 0x7f3bd8f965c8 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6746
#21 0x7f3bd8a1f7b4 in nsBlockFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsBlockFrame.cpp:754
#22 0x7f3bd8b99595 in nsFrame::ShrinkWidthToFit(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3935
#23 0x7f3bd8b1270a in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) firefox/src/layout/generic/nsContainerFrame.cpp:860
#24 0x7f3bd8b94d8e in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) firefox/src/layout/generic/nsFrame.cpp:3780
#25 0x7f3bd8ac780d in FloatMarginWidth(nsHTMLReflowState const&, int, nsIFrame*, nsCSSOffsetState const&) firefox/src/layout/generic/nsBlockReflowState.cpp:562
#26 0x7f3bd8ac0ff2 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) firefox/src/layout/generic/nsBlockReflowState.cpp:608
#27 0x7f3bd8abf61b in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) firefox/src/layout/generic/nsBlockReflowState.cpp:503
#28 0x7f3bd8dbc403 in nsLineLayout::AddFloat(nsIFrame*, int) firefox/src/layout/generic/nsLineLayout.h:195
#29 0x7f3bd8db530b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) firefox/src/layout/generic/nsLineLayout.cpp:868
previously allocated by thread T0 here:
#0 0x4a2f92 in malloc ??:0
#1 0x7f3bee478a23 in moz_malloc firefox/src/memory/mozalloc/mozalloc.cpp:64
#2 0x7f3be3a5a6f6 in gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) firefox/src/gfx/thebes/gfxFont.cpp:4283
#3 0x7f3be3a3da3f in gfxTextRun::Create(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) firefox/src/gfx/thebes/gfxFont.cpp:4300
#4 0x7f3be3a41205 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) firefox/src/gfx/thebes/gfxFont.cpp:3367
#5 0x7f3bd8f14551 in gfxTextRun* MakeTextRun<unsigned char>(unsigned char const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) firefox/src/layout/generic/nsTextFrameThebes.cpp:533
#6 0x7f3bd8f077c5 in BuildTextRunsScanner::BuildTextRunForFrames(void*) firefox/src/layout/generic/nsTextFrameThebes.cpp:1981
#7 0x7f3bd8efe01d in BuildTextRunsScanner::FlushFrames(bool, bool) firefox/src/layout/generic/nsTextFrameThebes.cpp:1372
#8 0x7f3bd8f21528 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:1301
#9 0x7f3bd8f1d1a4 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) firefox/src/layout/generic/nsTextFrameThebes.cpp:2391
#10 0x7f3bd8f8f6c8 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6594
#11 0x7f3bd8f965c8 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6746
#12 0x7f3bd8a1f7b4 in nsBlockFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsBlockFrame.cpp:754
#13 0x7f3bd8b99595 in nsFrame::ShrinkWidthToFit(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3935
#14 0x7f3bd8b1270a in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) firefox/src/layout/generic/nsContainerFrame.cpp:860
#15 0x7f3bd8b94d8e in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) firefox/src/layout/generic/nsFrame.cpp:3780
#16 0x7f3bd8ac780d in FloatMarginWidth(nsHTMLReflowState const&, int, nsIFrame*, nsCSSOffsetState const&) firefox/src/layout/generic/nsBlockReflowState.cpp:562
#17 0x7f3bd8ac0ff2 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) firefox/src/layout/generic/nsBlockReflowState.cpp:608
#18 0x7f3bd8abf61b in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) firefox/src/layout/generic/nsBlockReflowState.cpp:503
#19 0x7f3bd8dbc403 in nsLineLayout::AddFloat(nsIFrame*, int) firefox/src/layout/generic/nsLineLayout.h:195
#20 0x7f3bd8db530b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) firefox/src/layout/generic/nsLineLayout.cpp:868
#21 0x7f3bd8a6fe3f in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) firefox/src/layout/generic/nsBlockFrame.cpp:3834
#22 0x7f3bd8a6989a in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) firefox/src/layout/generic/nsBlockFrame.cpp:3630
==22134== ABORTING
Stats: 150M malloced (164M for red zones) by 352192 calls
Stats: 41M realloced by 18995 calls
Stats: 110M freed by 224892 calls
Stats: 0M really freed by 0 calls
Stats: 344M (88113 full pages) mmaped in 86 calls
mmaps by size class: 8:278511; 9:49146; 10:20475; 11:18423; 12:3072; 13:2048; 14:1536; 15:384; 16:576; 17:128; 18:176; 19:40; 20:16;
mallocs by size class: 8:265920; 9:46521; 10:16109; 11:16839; 12:2376; 13:1812; 14:1414; 15:336; 16:532; 17:113; 18:167; 19:40; 20:13;
frees by size class: 8:158005; 9:35984; 10:12721; 11:13639; 12:1450; 13:917; 14:1225; 15:282; 16:464; 17:99; 18:58; 19:38; 20:10;
rfrees by size class:
Stats: malloc large: 333 small slow: 1835
Shadow byte and word:
0x1fe7764caa91: fd
0x1fe7764caa90: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fe7764caa70: fa fa fa fa fa fa fa fa
0x1fe7764caa78: fa fa fa fa fa fa fa fa
0x1fe7764caa80: fa fa fa fa fa fa fa fa
0x1fe7764caa88: fa fa fa fa fa fa fa fa
=>0x1fe7764caa90: fd fd fd fd fd fd fd fd
0x1fe7764caa98: fd fd fd fd fd fd fd fd
0x1fe7764caaa0: fd fd fd fd fd fd fd fd
0x1fe7764caaa8: fd fd fd fd fd fd fd fd
0x1fe7764caab0: fd fd fd fd fd fd fd fd
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [asan]
Component: General → Layout: Text
Product: Firefox → Core
QA Contact: general → layout.fonts-and-text
|
Assignee | |
Comment 1•12 years ago
|
||
Although the stacks are different from bug 767765, it looks like another case of trying to access a text-run after it has been deleted; the underlying cause may well turn out to be related.
|
||
Updated•12 years ago
|
Keywords: sec-critical,
testcase
See Also: → CVE-2012-4218
Whiteboard: [asan] → [asan] possibly related or dupe of 767765
|
|
||
Updated•12 years ago
|
Keywords: sec-critical → sec-high
|
||
Comment 2•12 years ago
|
||
We crash because the text run in nsTextFrame::AddInlineMinWidthForFlow
stack frame #20 is destroyed by the nested call in #11, which tries to
create a text run for the text frame (blue) inside the first-letter.
|
|
||
Comment 3•12 years ago
|
||
Here's a wallpaper to avoid that situation in the first place
by making nsPlaceholderFrame::AddInline*Width propagate the
call to the OOF but discarding the result -- this is just to
ensure text runs are created to avoid BuildTextRuns later.
https://tbpl.mozilla.org/?tree=Try&rev=9380843956cc
It fixes the crash for the testcase in this bug.
It doesn't fix bug 767765 which appears to be a different
problem (bidi related?).
|
|
||
Comment 4•12 years ago
|
||
Using a destroyed gfxTextRun may be exploitable - it has some virtual
methods for example.
Keywords: sec-high → sec-critical
|
|
Reporter | |
Comment 5•12 years ago
|
||
Another testcase with slightly different stack. Feel free to split if it turns out to be a different bug.
=================================================================
==10681== ERROR: AddressSanitizer heap-use-after-free on address 0x7f96aeb91988 at pc 0x7f96e69d433c bp 0x7fff9edd0330 sp 0x7fff9edd0328
READ of size 8 at 0x7f96aeb91988 thread T0
#0 0x7f96e69d433c in gfxTextRun::ShrinkToLigatureBoundaries(unsigned int*, unsigned int*) firefox/src/gfx/thebes/gfxFont.cpp:4535
#1 0x7f96e69e4a84 in gfxTextRun::GetAdvanceWidth(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) firefox/src/gfx/thebes/gfxFont.cpp:5038
#2 0x7f96dbc7031e in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6658
#3 0x7f96dbc75d88 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6748
#4 0x7f96db6fd884 in nsBlockFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsBlockFrame.cpp:754
#5 0x7f96db8779c5 in nsFrame::ShrinkWidthToFit(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3943
#6 0x7f96db7f07da in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) firefox/src/layout/generic/nsContainerFrame.cpp:860
#7 0x7f96db8731be in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) firefox/src/layout/generic/nsFrame.cpp:3788
#8 0x7f96db7a58dd in FloatMarginWidth(nsHTMLReflowState const&, int, nsIFrame*, nsCSSOffsetState const&) firefox/src/layout/generic/nsBlockReflowState.cpp:562
#9 0x7f96db79f0c2 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) firefox/src/layout/generic/nsBlockReflowState.cpp:608
#10 0x7f96db79d6eb in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) firefox/src/layout/generic/nsBlockReflowState.cpp:503
#11 0x7f96dba9bd23 in nsLineLayout::AddFloat(nsIFrame*, int) firefox/src/layout/generic/nsLineLayout.h:195
#12 0x7f96dba94c2b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) firefox/src/layout/generic/nsLineLayout.cpp:866
#13 0x7f96db74df0f in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) firefox/src/layout/generic/nsBlockFrame.cpp:3834
#14 0x7f96db74796a in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) firefox/src/layout/generic/nsBlockFrame.cpp:3630
#15 0x7f96db73a3e7 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) firefox/src/layout/generic/nsBlockFrame.cpp:3482
#16 0x7f96db728d9c in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) firefox/src/layout/generic/nsBlockFrame.cpp:2570
#17 0x7f96db70e201 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) firefox/src/layout/generic/nsBlockFrame.cpp:2020
#18 0x7f96db701c9f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsBlockFrame.cpp:1069
#19 0x7f96db7f1777 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) firefox/src/layout/generic/nsContainerFrame.cpp:906
#20 0x7f96db9c22f7 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsCanvasFrame.cpp:429
#21 0x7f96db7f1777 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) firefox/src/layout/generic/nsContainerFrame.cpp:906
#22 0x7f96db93bb7e in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) firefox/src/layout/generic/nsGfxScrollFrame.cpp:518
#23 0x7f96db94142a in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) firefox/src/layout/generic/nsGfxScrollFrame.cpp:618
#24 0x7f96db94574f in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsGfxScrollFrame.cpp:859
#25 0x7f96db7f1777 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) firefox/src/layout/generic/nsContainerFrame.cpp:906
#26 0x7f96dbd1b6d0 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) firefox/src/layout/generic/nsViewportFrame.cpp:200
#27 0x7f96db472a76 in PresShell::DoReflow(nsIFrame*, bool) firefox/src/layout/base/nsPresShell.cpp:7383
#28 0x7f96db4a047d in PresShell::ProcessReflowCommands(bool) firefox/src/layout/base/nsPresShell.cpp:7524
#29 0x7f96db49eb8d in PresShell::FlushPendingNotifications(mozFlushType) firefox/src/layout/base/nsPresShell.cpp:3852
#30 0x7f96db5422bb in nsRefreshDriver::Notify(nsITimer*) firefox/src/layout/base/nsRefreshDriver.cpp:396
#31 0x7f96e63e2336 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:477
#32 0x7f96e63e3eac in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:558
#33 0x7f96e63a64fd in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:625
#34 0x7f96e603530d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
#35 0x7f96e50d6366 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82
#36 0x7f96e665a46a in MessageLoop::RunInternal() firefox/src/ipc/chromium/src/base/message_loop.cc:209
#37 0x7f96e665a2b3 in MessageLoop::RunHandler() firefox/src/ipc/chromium/src/base/message_loop.cc:202
#38 0x7f96e665a198 in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176
#39 0x7f96e460d1ee in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165
#40 0x7f96e3260a28 in nsAppStartup::Run() firefox/src/toolkit/components/startup/nsAppStartup.cpp:257
#41 0x7f96d9a3e830 in XREMain::XRE_mainRun() firefox/src/toolkit/xre/nsAppRunner.cpp:3787
#42 0x7f96d9a451d2 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864
#43 0x7f96d9a486a2 in XRE_main firefox/src/toolkit/xre/nsAppRunner.cpp:3940
#44 0x40c29f in do_main(int, char**) firefox/src/browser/app/nsBrowserApp.cpp:160
#45 0x409ccd in main firefox/src/browser/app/nsBrowserApp.cpp:298
#46 0x7f96f61c3c4d in ?? ??:0
0x7f96aeb91988 is located 8 bytes inside of 124-byte region [0x7f96aeb91980,0x7f96aeb919fc)
freed by thread T0 here:
#0 0x4a43a2 in free ??:0
#1 0x7f96f304f5d3 in moz_free firefox/src/memory/mozalloc/mozalloc.cpp:49
#2 0x7f96dbd0b623 in gfxTextRun::operator delete(void*) firefox/src/gfx/thebes/gfxFont.h:2346
#3 0x7f96e69ccbc8 in ~gfxTextRun firefox/src/gfx/thebes/gfxFont.cpp:4345
#4 0x7f96dbbfb51e in nsTextFrame::ClearTextRun(nsTextFrame*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:4263
#5 0x7f96dbbf73a8 in BuildTextRunsScanner::AssignTextRun(gfxTextRun*, float) firefox/src/layout/generic/nsTextFrameThebes.cpp:2359
#6 0x7f96dbbe7118 in BuildTextRunsScanner::BuildTextRunForFrames(void*) firefox/src/layout/generic/nsTextFrameThebes.cpp:2021
#7 0x7f96dbbdd35d in BuildTextRunsScanner::FlushFrames(bool, bool) firefox/src/layout/generic/nsTextFrameThebes.cpp:1372
#8 0x7f96dbbed21a in BuildTextRunsScanner::ScanFrame(nsIFrame*) firefox/src/layout/generic/nsTextFrameThebes.cpp:1537
#9 0x7f96dbc00626 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:1276
#10 0x7f96dbbfc4e4 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) firefox/src/layout/generic/nsTextFrameThebes.cpp:2391
#11 0x7f96dbc6ee88 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6596
#12 0x7f96dbc75d88 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6748
#13 0x7f96db7eecc5 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) firefox/src/layout/generic/nsContainerFrame.cpp:813
#14 0x7f96db801bd6 in nsFirstLetterFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsFirstLetterFrame.cpp:122
#15 0x7f96db39672b in nsLayoutUtils::MinWidthFromInline(nsIFrame*, nsRenderingContext*) firefox/src/layout/base/nsLayoutUtils.cpp:3008
#16 0x7f96db802008 in nsFirstLetterFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsFirstLetterFrame.cpp:137
#17 0x7f96db383163 in nsLayoutUtils::IntrinsicForContainer(nsRenderingContext*, nsIFrame*, nsLayoutUtils::IntrinsicWidthType) firefox/src/layout/base/nsLayoutUtils.cpp:2440
#18 0x7f96db86dd83 in nsIFrame::InlineMinWidthData::ForceBreak(nsRenderingContext*) firefox/src/layout/generic/nsFrame.cpp:3605
#19 0x7f96dbc70ec6 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6692
#20 0x7f96dbc75d88 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6748
#21 0x7f96db6fd884 in nsBlockFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsBlockFrame.cpp:754
#22 0x7f96db8779c5 in nsFrame::ShrinkWidthToFit(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3943
#23 0x7f96db7f07da in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) firefox/src/layout/generic/nsContainerFrame.cpp:860
#24 0x7f96db8731be in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) firefox/src/layout/generic/nsFrame.cpp:3788
#25 0x7f96db7a58dd in FloatMarginWidth(nsHTMLReflowState const&, int, nsIFrame*, nsCSSOffsetState const&) firefox/src/layout/generic/nsBlockReflowState.cpp:562
#26 0x7f96db79f0c2 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) firefox/src/layout/generic/nsBlockReflowState.cpp:608
#27 0x7f96db79d6eb in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) firefox/src/layout/generic/nsBlockReflowState.cpp:503
#28 0x7f96dba9bd23 in nsLineLayout::AddFloat(nsIFrame*, int) firefox/src/layout/generic/nsLineLayout.h:195
#29 0x7f96dba94c2b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) firefox/src/layout/generic/nsLineLayout.cpp:866
previously allocated by thread T0 here:
#0 0x4a4462 in __interceptor_malloc ??:0
#1 0x7f96f304fa33 in moz_malloc firefox/src/memory/mozalloc/mozalloc.cpp:64
#2 0x7f96e69cb4e6 in gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) firefox/src/gfx/thebes/gfxFont.cpp:4284
#3 0x7f96e69ae64f in gfxTextRun::Create(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) firefox/src/gfx/thebes/gfxFont.cpp:4301
#4 0x7f96e69b1e15 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) firefox/src/gfx/thebes/gfxFont.cpp:3367
#5 0x7f96dbbf3891 in gfxTextRun* MakeTextRun<unsigned char>(unsigned char const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) firefox/src/layout/generic/nsTextFrameThebes.cpp:533
#6 0x7f96dbbe6b05 in BuildTextRunsScanner::BuildTextRunForFrames(void*) firefox/src/layout/generic/nsTextFrameThebes.cpp:1981
#7 0x7f96dbbdd35d in BuildTextRunsScanner::FlushFrames(bool, bool) firefox/src/layout/generic/nsTextFrameThebes.cpp:1372
#8 0x7f96dbbed21a in BuildTextRunsScanner::ScanFrame(nsIFrame*) firefox/src/layout/generic/nsTextFrameThebes.cpp:1537
#9 0x7f96dbc00626 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:1276
#10 0x7f96dbbfc4e4 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) firefox/src/layout/generic/nsTextFrameThebes.cpp:2391
#11 0x7f96dbc6ee88 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) firefox/src/layout/generic/nsTextFrameThebes.cpp:6596
#12 0x7f96dbc75d88 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) firefox/src/layout/generic/nsTextFrameThebes.cpp:6748
#13 0x7f96db6fd884 in nsBlockFrame::GetMinWidth(nsRenderingContext*) firefox/src/layout/generic/nsBlockFrame.cpp:754
#14 0x7f96db8779c5 in nsFrame::ShrinkWidthToFit(nsRenderingContext*, int) firefox/src/layout/generic/nsFrame.cpp:3943
#15 0x7f96db7f07da in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) firefox/src/layout/generic/nsContainerFrame.cpp:860
#16 0x7f96db8731be in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) firefox/src/layout/generic/nsFrame.cpp:3788
#17 0x7f96db7a58dd in FloatMarginWidth(nsHTMLReflowState const&, int, nsIFrame*, nsCSSOffsetState const&) firefox/src/layout/generic/nsBlockReflowState.cpp:562
#18 0x7f96db79f0c2 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) firefox/src/layout/generic/nsBlockReflowState.cpp:608
#19 0x7f96db79d6eb in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) firefox/src/layout/generic/nsBlockReflowState.cpp:503
#20 0x7f96dba9bd23 in nsLineLayout::AddFloat(nsIFrame*, int) firefox/src/layout/generic/nsLineLayout.h:195
#21 0x7f96dba94c2b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) firefox/src/layout/generic/nsLineLayout.cpp:866
#22 0x7f96db74df0f in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) firefox/src/layout/generic/nsBlockFrame.cpp:3834
#23 0x7f96db74796a in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) firefox/src/layout/generic/nsBlockFrame.cpp:3630
#24 0x7f96db73a3e7 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) firefox/src/layout/generic/nsBlockFrame.cpp:3482
==10681== ABORTING
Stats: 145M malloced (159M for red zones) by 343591 calls
Stats: 41M realloced by 18376 calls
Stats: 108M freed by 220740 calls
Stats: 0M really freed by 0 calls
Stats: 336M (86064 full pages) mmaped in 84 calls
mmaps by size class: 8:278511; 9:49146; 10:16380; 11:18423; 12:3072; 13:2048; 14:1536; 15:384; 16:576; 17:128; 18:160; 19:40; 20:16;
mallocs by size class: 8:259841; 9:45285; 10:15564; 11:16391; 12:2208; 13:1764; 14:1383; 15:312; 16:524; 17:111; 18:155; 19:40; 20:13;
frees by size class: 8:155285; 9:35443; 10:12340; 11:13279; 12:1387; 13:880; 14:1207; 15:259; 16:457; 17:97; 18:58; 19:38; 20:10;
rfrees by size class:
Stats: malloc large: 319 small slow: 1783
Shadow byte and word:
0x1ff2d5d72331: fd
0x1ff2d5d72330: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff2d5d72310: fd fd fd fd fd fd fd fd
0x1ff2d5d72318: fd fd fd fd fd fd fd fd
0x1ff2d5d72320: fa fa fa fa fa fa fa fa
0x1ff2d5d72328: fa fa fa fa fa fa fa fa
=>0x1ff2d5d72330: fd fd fd fd fd fd fd fd
0x1ff2d5d72338: fd fd fd fd fd fd fd fd
0x1ff2d5d72340: fa fa fa fa fa fa fa fa
0x1ff2d5d72348: fa fa fa fa fa fa fa fa
0x1ff2d5d72350: fd fd fd fd fd fd fd fd
|
|
||
Comment 6•12 years ago
|
||
The second testcase triggers the same problem, it's also fixed by the wallpaper.
|
|
Reporter | |
Comment 7•12 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #6)
> The second testcase triggers the same problem, it's also fixed by the
> wallpaper.
Cool! Does it fix https://bugzilla.mozilla.org/show_bug.cgi?id=769120 too :) ?
|
|
||
Comment 8•12 years ago
|
||
No, bug 769120 seems like an unrelated problem.
|
|
||
Comment 9•12 years ago
|
||
Is this a recent regression or a long-standing problem? Given the code I tend to assume "affects ESR-10"
|
|
||
Comment 10•12 years ago
|
||
I guess it's a long-standing problem, but I have only tested trunk.
|
|
||
Comment 11•12 years ago
|
||
Sorry, I don't know what a real fix would look like for this one.
I guess we could take the wallpaper to make it less likely to occur.
roc, do you have an idea for how to fix the underlying problem?
(see the stack in the 2nd attachment)
It seems to me that even if we introduce some mechanism to keep
gfxTextRuns from being destroyed in a nested scope, it would still
be stale with regards to the frame, content offsets, length etc...
I guess we could just "bail out" in most cases, like the wallpaper
does, but the GetMinWidth result will likely be wrong.
Assignee: matspal → nobody
|
||
Comment 12•12 years ago
|
||
Sorry to be the bad guy, over to you Jonathan. Maybe you can nag Roc on the comment 11 question :)
Assignee: nobody → jfkthame
I think the way to go here is to change InlineIntrinsicWidthData::floats to be an array of pairs: the frame and its min or pref width. We'll compute the intrinsic width of the float when we add it to the array, not later, to avoid having to compute intrinsic widths during ForceBreak/OptionallyBreak.
Hope that's OK with you, David. I think this should be no more complicated than the current code.
|
|
||
Comment 14•12 years ago
|
||
It might also be worthwhile to implement a (stack allocated)
AutoEnsureTextRun that would do EnsureTextRun and then mark that text run
as "in use" and make the text run dtor safely abort if it's marked
"in use".
|
|
||
Updated•12 years ago
|
status-firefox17:
--- → affected
tracking-firefox17:
--- → +
|
|
||
Updated•12 years ago
|
status-firefox15:
--- → affected
See Also: CVE-2012-4218 →
Whiteboard: [asan] possibly related or dupe of 767765 → [asan]
|
|
Assignee | |
Comment 16•12 years ago
|
||
Here's a patch that implements roc's suggestion from comment #13.
I have not yet verified that this resolves the problem, as I ran into problems last time I tried to do an ASAN build. If anyone's in a position to test this and confirm whether it fixes the issue, it'd be much appreciated.
|
|
Assignee | |
Comment 17•12 years ago
|
||
FWIW, this looks OK on tryserver, see https://tbpl.mozilla.org/?tree=Try&rev=34b794183093. The debug crashtest assertions there are bug 780985 (see also bug 460389 comment 25), and now marked in the test manifest, but my tryserver push didn't include that changeset.
|
|
||
Comment 18•12 years ago
|
||
qawanted: does this affect ESR-10 (requires an ASan build to test).
status-firefox-esr10:
--- → ?
Keywords: qawanted
|
||
Comment 19•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #18)
> qawanted: does this affect ESR-10 (requires an ASan build to test).
Do ESR10 ASAN builds exist?
|
|
Assignee | |
Comment 20•12 years ago
|
||
I have not actually tested, but from the nature of the bug, I'm fairly sure it'll affect ESR-10 in the same way; this code has been around a pretty long time.
Fortunately, it looks like the patch would be easy to backport (assuming it does in fact fix the problem).
|
|
||
Comment 21•12 years ago
|
||
Thanks Jonathan, I'm going to assume that answers your qawanted request Dan. Please re-add if there is something more we can do here.
Keywords: qawanted
|
|
Reporter | |
Comment 22•12 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #16)
> Created attachment 650524 [details] [diff] [review]
> patch, precompute intrinsic width of floats (untested)
>
> Here's a patch that implements roc's suggestion from comment #13.
>
> I have not yet verified that this resolves the problem, as I ran into
> problems last time I tried to do an ASAN build. If anyone's in a position to
> test this and confirm whether it fixes the issue, it'd be much appreciated.
verified on ASANified trunk that the patch indeed fixes the bug.
|
|
Assignee | |
Updated•12 years ago
|
Attachment #650524 -
Attachment description: patch, precompute intrinsic width of floats (untested) → patch, precompute intrinsic width of floats
Attachment #650524 -
Flags: review?(roc)
Attachment #650524 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 23•12 years ago
|
||
Target Milestone: --- → mozilla17
|
||
Comment 24•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/357de24b8abc
Should this have a test?
Flags: in-testsuite?
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #13)
> I think the way to go here is to change InlineIntrinsicWidthData::floats to
> be an array of pairs: the frame and its min or pref width. We'll compute the
> intrinsic width of the float when we add it to the array, not later, to
> avoid having to compute intrinsic widths during ForceBreak/OptionallyBreak.
>
> Hope that's OK with you, David. I think this should be no more complicated
> than the current code.
That's fine with me.
|
|
||
Comment 26•12 years ago
|
||
(In reply to Ryan VanderMeulen from comment #24)
> https://hg.mozilla.org/mozilla-central/rev/357de24b8abc
>
> Should this have a test?
We shouldn't land tests for security-sensitive bugs before the bug report
is public - usually some time after all affected branches have been fixed,
including other products, UA vendors, upstream projects etc, as needed.
|
|
Assignee | |
Comment 27•12 years ago
|
||
Minor rebasing to apply to Aurora.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): n/a (long-standing bug)
User impact if declined: potential for crash/vulnerability due to accessing a deleted textrun
Testing completed (on m-c, etc.): in Nightly for several days without issues; ASAN testing confirmed the problem is fixed
Risk to taking this patch (and alternatives if risky): low risk, just does computation earlier while the frame's textrun is still valid
String or UUID changes made by this patch: none
Attachment #652370 -
Flags: review+
Attachment #652370 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 28•12 years ago
|
||
Rebased for mozilla-beta and ESR.
[Approval Request Comment]
See comment on Aurora patch above.
Attachment #652371 -
Flags: review+
Attachment #652371 -
Flags: approval-mozilla-esr10?
Attachment #652371 -
Flags: approval-mozilla-beta?
|
|
||
Comment 29•12 years ago
|
||
(In reply to Ryan VanderMeulen from comment #24)
> https://hg.mozilla.org/mozilla-central/rev/357de24b8abc
Should this be marked status-firefox17:fixed?
|
|
Assignee | |
Comment 30•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #29)
> Should this be marked status-firefox17:fixed?
Yes.
Also marking status-firefox-esr10:affected, as the problematic code is present there too.
|
||
Updated•12 years ago
|
tracking-firefox15:
--- → +
|
|
||
Updated•12 years ago
|
Attachment #652370 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 31•12 years ago
|
||
Comment on attachment 652371 [details] [diff] [review]
patch rebased to mozilla-beta
Please land this to ESR branch as soon as possible to ensure it goes out with Firefox 15. We go to build on the next ESR early next week.
Attachment #652371 -
Flags: approval-mozilla-esr10?
Attachment #652371 -
Flags: approval-mozilla-esr10+
Attachment #652371 -
Flags: approval-mozilla-beta?
Attachment #652371 -
Flags: approval-mozilla-beta+
|
|
Assignee | |
Comment 32•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [asan] → [asan][advisory-tracking+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-1974
|
|
||
Comment 33•12 years ago
|
||
Confirmed both testcases reproducible with try-server ASan build from decoder with changeset 9f3cc040e41a.
Verified testcases not reproducible with:
* 17.0a1: 198ca6edd0ae (debug) built on 20120823 by decoder
* 16.0a2: 805e936380ab (debug) built on 20120823 by decoder
qa- for Firefox 15 and ESR15 as builds are not available.
Status: RESOLVED → VERIFIED
Keywords: verifyme
Whiteboard: [asan][advisory-tracking+] → [asan][advisory-tracking+][qa-]
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Comment 35•12 years ago
|
||
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 36•12 years ago
|
||
|
||
Updated•11 years ago
|
Flags: sec-bounty+
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
|
||
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•