776327 - out-of-bound read in gfxTextRun::GetAdvanceForGlyphs (SVG tspan)

Status: VERIFIED FIXED

(Core :: SVG, defect)

Description

[Abhishek Arya]

Attachment: Testcase

Reproduces on trunk.
446b788ab99d (opt), built on 20120721

=================================================================
==22554== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f5152eb6600 at pc 0x7f5181111b01 bp 0x7fffac9df210 sp 0x7fffac9df208
READ of size 4 at 0x7f5152eb6600 thread T0
    #0 0x7f5181111b01 in gfxShapedWord::CompressedGlyph::IsSimpleGlyph() const asn1cmn.c:0
    #1 0x7f518bfa1514 in gfxTextRun::GetAdvanceForGlyphs(unsigned int, unsigned int) src/gfx/thebes/gfxFont.cpp:4466
    #2 0x7f518bfb59dd in gfxTextRun::GetAdvanceWidth(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) src/gfx/thebes/gfxFont.cpp:5056
    #3 0x7f518626ab95 in nsSVGGlyphFrame::GetSubStringAdvance(unsigned int, unsigned int, float) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:817
    #4 0x7f5186278266 in nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:1373
    #5 0x7f51862784f8 in non-virtual thunk to nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0
    #6 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222
    #7 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124
    #8 0x7f5186312f88 in non-virtual thunk to nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0
    #9 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222
    #10 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124
    #11 0x7f5186a50adb in nsSVGTextContentElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTextContentElement.cpp:74
    #12 0x7f5186a47d42 in nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTSpanElement.cpp:37
    #13 0x7f5186a4e2ab in non-virtual thunk to nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) asn1cmn.c:0
    #14 0x7f518ba76bca in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:161
    #15 0x7f51870c774b in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:2416
    #16 0x7f518712ead4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
    #17 0x7f51925f2587 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:382
    #18 0x7f5192569593 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2426
    #19 0x7f51924f0725 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:302
    #20 0x7f51925f29a9 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:356
    #21 0x7f5191f28430 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #22 0x7f51925f7b0d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
    #23 0x7f5191dd30d9 in JS_CallFunctionValue src/js/src/jsapi.cpp:5572
    #24 0x7f5187076b1e in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1436
    #25 0x7f518701ca18 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:580
    #26 0x7f518ba7c780 in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
    #27 0x7f518ba79f17 in SharedStub src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #28 0x7f5182eb0bb3 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:794
    #29 0x7f5182eb207a in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:867
    #30 0x7f5183060c97 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:144
    #31 0x7f518304f936 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:185
    #32 0x7f518304d49c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:313
    #33 0x7f5183052fb0 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:634
    #34 0x7f5183057544 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:697
    #35 0x7f51823fdde3 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1079
    #36 0x7f5181f41612 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3428
    #37 0x7f5181f40aa6 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3398
    #38 0x7f51821496c6 in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4131
    #39 0x7f51822098e9 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:349
    #40 0x7f518b9778fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #41 0x7f518b6066ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #42 0x7f518a5a5ce6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #43 0x7f518bc29b9a in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:209
    #44 0x7f518bc299e3 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:202
    #45 0x7f518bc298c8 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:176
    #46 0x7f5189aafc8e in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #47 0x7f5188702eb8 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:257
    #48 0x7f517ee90d20 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3787
    #49 0x7f517ee976c2 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3864
    #50 0x7f517ee9ab92 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3940
    #51 0x40c28f in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:160
    #52 0x409cbd in main src/browser/app/nsBrowserApp.cpp:298
    #53 0x7f519ba4fc4d in ?? ??:0
0x7f5152eb6600 is located 0 bytes to the right of 128-byte region [0x7f5152eb6580,0x7f5152eb6600)
allocated by thread T0 here:
    #0 0x4a4452 in __interceptor_malloc ??:0
    #1 0x7f51988dba23 in moz_malloc src/memory/mozalloc/mozalloc.cpp:64
    #2 0x7f518bf9bd16 in gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) src/gfx/thebes/gfxFont.cpp:4284
    #3 0x7f518bf7ee7f in gfxTextRun::Create(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) src/gfx/thebes/gfxFont.cpp:4301
    #4 0x7f518bf88206 in gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) src/gfx/thebes/gfxFont.cpp:3394
    #5 0x7f5186270eff in nsSVGGlyphFrame::EnsureTextRun(float*, float*, bool) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:1630
    #6 0x7f5186278182 in nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:1370
    #7 0x7f51862784f8 in non-virtual thunk to nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0
    #8 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222
    #9 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124
    #10 0x7f5186312f88 in non-virtual thunk to nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0
    #11 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222
    #12 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124
    #13 0x7f5186a50adb in nsSVGTextContentElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTextContentElement.cpp:74
    #14 0x7f5186a47d42 in nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTSpanElement.cpp:37
    #15 0x7f5186a4e2ab in non-virtual thunk to nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) asn1cmn.c:0
    #16 0x7f518ba76bca in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:161
    #17 0x7f51870c774b in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:2416
    #18 0x7f518712ead4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
    #19 0x7f51925f2587 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:382
    #20 0x7f5192569593 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2426
    #21 0x7f51924f0725 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:302
    #22 0x7f51925f29a9 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:356
    #23 0x7f5191f28430 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #24 0x7f51925f7b0d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
==22554== ABORTING
Stats: 153M malloced (169M for red zones) by 363492 calls
Stats: 38M realloced by 19857 calls
Stats: 112M freed by 234503 calls
Stats: 0M really freed by 0 calls
Stats: 348M (89136 full pages) mmaped in 87 calls
  mmaps   by size class: 8:294894; 9:49146; 10:20475; 11:20470; 12:3072; 13:2048; 14:1536; 15:384; 16:640; 17:128; 18:160; 19:40; 20:12;
  mallocs by size class: 8:275303; 9:44650; 10:17171; 11:19287; 12:2608; 13:1817; 14:1413; 15:302; 16:631; 17:98; 18:160; 19:40; 20:12;
  frees   by size class: 8:163675; 9:36266; 10:13739; 11:16083; 12:1653; 13:906; 14:1216; 15:253; 16:527; 17:88; 18:50; 19:38; 20:9;
  rfrees  by size class:
Stats: malloc large: 310 small slow: 1941
Shadow byte and word:
  0x1fea2a5d6cc0: fa
  0x1fea2a5d6cc0: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fea2a5d6ca0: fa fa fa fa fa fa fa fa
  0x1fea2a5d6ca8: fa fa fa fa fa fa fa fa
  0x1fea2a5d6cb0: 00 00 00 00 00 00 00 00
  0x1fea2a5d6cb8: 00 00 00 00 00 00 00 00
=>0x1fea2a5d6cc0: fa fa fa fa fa fa fa fa
  0x1fea2a5d6cc8: fa fa fa fa fa fa fa fa
  0x1fea2a5d6cd0: fd fd fd fd fd fd fd fd
  0x1fea2a5d6cd8: fd fd fd fd fd fd fd fd
  0x1fea2a5d6ce0: fa fa fa fa fa fa fa fa

Comment 1

[Mats Palmgren (inactive)]

Attachment: fix

https://tbpl.mozilla.org/?usebuildbot=1&tree=Try&rev=54630c3e3c92

Comment 2

[Mats Palmgren (inactive)]

It looks non-exploitable to me - I think it's just a DOS crash.
It probably affects all versions since the error dates back to
2006-06-28.

Comment 3

[Jonathan Watt [:jwatt]]

Comment on attachment 645638 [details] [diff] [review]
fix

> the error dates back to 2006-06-28

Crazy.

Comment 4

[Jonathan Watt [:jwatt]]

heycam: dunno if this impacts you, or if you need to apply this fix to your work, or not.

Comment 5

[Mats Palmgren (inactive)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/aed8e7564f57

Comment 6

[Cameron McCormack (:heycam)]

Thanks for the pointer.  My GetSubStringLength is different enough now that it's all processed by the one frame, so I think I don't have this bug.

Comment 7

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/aed8e7564f57

Comment 8

[Mats Palmgren (inactive)]

Comment on attachment 645638 [details] [diff] [review]
fix

Low risk crash fix.

Comment 9

[Alex Keybl [:akeybl]]

Comment on attachment 645638 [details] [diff] [review]
fix

[Triage Comment]
Long standing error, non-exploitable, no need to take on branches.

Comment 10

[Alex Keybl [:akeybl]]

Long standing (non-critical) error.

Comment 12

[Matt Wobensmith [:mwobensmith][:matt:]]

Confirmed crash on build 2012-7-22, nightly
Verified fixed on build 2012-11-13, 17.0b6
Verified fixed on build 2012-11-19, 17.0esr