780959 - Heap-buffer-overflow in BuildTextRunsScanner::FindBoundaries

Status: RESOLVED FIXED

(Core :: Layout: Text and Fonts, defect)

Description

[Abhishek Arya]

Attachment: Testcase

Reproduces on trunk

=================================================================
==24623== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fb32ee4ff06 at pc 0x7fb351ca9c75 bp 0x7fffb4177a70 sp 0x7fffb4177a68
READ of size 1 at 0x7fb32ee4ff06 thread T0
    #0 0x7fb351ca9c75 in TextContainsLineBreakerWhiteSpace(void const*, unsigned int, bool) layout/generic/nsTextFrameThebes.cpp:978
    #1 0x7fb351ca66bc in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1092
    #2 0x7fb351ca6ab5 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1111
    #3 0x7fb351ca6ab5 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1111
    #4 0x7fb351ca6ab5 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1111
    #5 0x7fb351ca6ab5 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1111
    #6 0x7fb351ca6ab5 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1111
    #7 0x7fb351ca6ab5 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) layout/generic/nsTextFrameThebes.cpp:1111
    #8 0x7fb351cd0061 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) layout/generic/nsTextFrameThebes.cpp:1240
    #9 0x7fb351ccc6b4 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) layout/generic/nsTextFrameThebes.cpp:2431
    #10 0x7fb351d40968 in nsTextFrame::AddInlineMinWidthForFlow(nsRenderingContext*, nsIFrame::InlineMinWidthData*, nsTextFrame::TextRunType) layout/generic/nsTextFrameThebes.cpp:6705
    #11 0x7fb351d47a78 in nsTextFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsTextFrameThebes.cpp:6861
    #12 0x7fb3518b5a85 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) layout/generic/nsContainerFrame.cpp:854
    #13 0x7fb351b28cd6 in nsInlineFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsInlineFrame.cpp:191
    #14 0x7fb3518b5a85 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) layout/generic/nsContainerFrame.cpp:854
    #15 0x7fb351b28cd6 in nsInlineFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsInlineFrame.cpp:191
    #16 0x7fb3518b5a85 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) layout/generic/nsContainerFrame.cpp:854
    #17 0x7fb351b28cd6 in nsInlineFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsInlineFrame.cpp:191
    #18 0x7fb3518b5a85 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) layout/generic/nsContainerFrame.cpp:854
    #19 0x7fb351b28cd6 in nsInlineFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsInlineFrame.cpp:191
    #20 0x7fb3518b5a85 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) layout/generic/nsContainerFrame.cpp:854
    #21 0x7fb351b28cd6 in nsInlineFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsInlineFrame.cpp:191
    #22 0x7fb3518b5a85 in nsContainerFrame::DoInlineIntrinsicWidth(nsRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) layout/generic/nsContainerFrame.cpp:854
    #23 0x7fb351b28cd6 in nsInlineFrame::AddInlineMinWidth(nsRenderingContext*, nsIFrame::InlineMinWidthData*) layout/generic/nsInlineFrame.cpp:191
    #24 0x7fb3517c1504 in nsBlockFrame::GetMinWidth(nsRenderingContext*) layout/generic/nsBlockFrame.cpp:755
    #25 0x7fb3514458a3 in nsLayoutUtils::IntrinsicForContainer(nsRenderingContext*, nsIFrame*, nsLayoutUtils::IntrinsicWidthType) layout/base/nsLayoutUtils.cpp:2520
    #26 0x7fb35256a7d0 in nsTableCellFrame::GetMinWidth(nsRenderingContext*) layout/tables/nsTableCellFrame.cpp:707
    #27 0x7fb3524e0265 in GetWidthInfo(nsRenderingContext*, nsIFrame*, bool) layout/tables/BasicTableLayoutStrategy.cpp:92
    #28 0x7fb3524d22e6 in GetCellWidthInfo(nsRenderingContext*, nsTableCellFrame*) layout/tables/BasicTableLayoutStrategy.cpp:249
    #29 0x7fb3524ce4cb in BasicTableLayoutStrategy::ComputeColumnIntrinsicWidths(nsRenderingContext*) layout/tables/BasicTableLayoutStrategy.cpp:320
    #30 0x7fb3524caae3 in BasicTableLayoutStrategy::ComputeIntrinsicWidths(nsRenderingContext*) layout/tables/BasicTableLayoutStrategy.cpp:432
    #31 0x7fb3524ca61d in BasicTableLayoutStrategy::GetMinWidth(nsRenderingContext*) layout/tables/BasicTableLayoutStrategy.cpp:44
    #32 0x7fb3525a9885 in nsTableFrame::GetMinWidth(nsRenderingContext*) layout/tables/nsTableFrame.cpp:1439
    #33 0x7fb3525bf43d in nsTableFrame::TableShrinkWidthToFit(nsRenderingContext*, int) layout/tables/nsTableFrame.cpp:1504
    #34 0x7fb3525c012d in nsTableFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) layout/tables/nsTableFrame.cpp:1535
    #35 0x7fb35193c10e in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) layout/generic/nsFrame.cpp:3864
    #36 0x7fb3525be7ea in nsTableFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) layout/tables/nsTableFrame.cpp:1480
    #37 0x7fb3526574e9 in ChildShrinkWrapWidth(nsRenderingContext*, nsIFrame*, nsSize, int, int*) layout/tables/nsTableOuterFrame.cpp:515
    #38 0x7fb352654b97 in nsTableOuterFrame::ComputeAutoSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, bool) layout/tables/nsTableOuterFrame.cpp:543
    #39 0x7fb35193c10e in nsFrame::ComputeSize(nsRenderingContext*, nsSize, int, nsSize, nsSize, nsSize, unsigned int) layout/generic/nsFrame.cpp:3864
    #40 0x7fb351aa459a in nsHTMLReflowState::InitConstraints(nsPresContext*, int, int, nsMargin const*, nsMargin const*, nsIAtom*) layout/generic/nsHTMLReflowState.cpp:2005
    #41 0x7fb351a98fad in nsHTMLReflowState::Init(nsPresContext*, int, int, nsMargin const*, nsMargin const*) layout/generic/nsHTMLReflowState.cpp:298
    #42 0x7fb351a9b137 in nsHTMLReflowState layout/generic/nsHTMLReflowState.cpp:187
    #43 0x7fb3517f5ad8 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3066
    #44 0x7fb3517ecd46 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2516
    #45 0x7fb3517d2571 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2022
    #46 0x7fb3517c593f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1071
    #47 0x7fb351856c9b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:268
    #48 0x7fb3517f7657 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3208
    #49 0x7fb3517ecd46 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2516
    #50 0x7fb3517d2571 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2022
    #51 0x7fb3517c593f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1071
    #52 0x7fb351856c9b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:268
    #53 0x7fb3517f7657 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3208
    #54 0x7fb3517ecd46 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2516
    #55 0x7fb3517d2571 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2022
    #56 0x7fb3517c593f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1071
    #57 0x7fb3518b8537 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:947
    #58 0x7fb351a8f627 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:467
    #59 0x7fb3518b8537 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:947
    #60 0x7fb351a04f88 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:523
    #61 0x7fb351a0aa7a in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:623
    #62 0x7fb351a0ed9f in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:864
    #63 0x7fb3518b8537 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:947
0x7fb32ee4ff06 is located 0 bytes to the right of 134-byte region [0x7fb32ee4fe80,0x7fb32ee4ff06)
allocated by thread T0 here:
    #0 0x4a4452 in __interceptor_malloc ??:0
    #1 0x7fb369b32717 in moz_xmalloc memory/mozalloc/mozalloc.cpp:57
    #2 0x7fb35c8eeef3 in NS_Alloc_P xpcom/base/nsMemoryImpl.cpp:163
    #3 0x7fb34fc0c533 in nsMemory::Alloc(unsigned long) ../../dist/include/nsMemory.h:36
    #4 0x7fb3531ea3cb in nsTextFragment::SetTo(unsigned short const*, int, bool) content/base/src/nsTextFragment.cpp:264
    #5 0x7fb352f8c103 in nsGenericDOMDataNode::SetTextInternal(unsigned int, unsigned int, unsigned short const*, unsigned int, bool, CharacterDataChangeInfo::Details*) content/base/src/nsGenericDOMDataNode.cpp:308
    #6 0x7fb352f9aca9 in nsGenericDOMDataNode::SetText(unsigned short const*, unsigned int, bool) content/base/src/nsGenericDOMDataNode.cpp:850
    #7 0x7fb3561fb8c2 in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) parser/html/nsHtml5TreeOperation.cpp:165
    #8 0x7fb35620524e in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) parser/html/nsHtml5TreeOperation.cpp:444
    #9 0x7fb356224026 in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:567
    #10 0x7fb356233705 in nsHtml5ExecutorReflusher::Run() parser/html/nsHtml5TreeOpExecutor.cpp:66
    #11 0x7fb35c86dbfd in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:625
    #12 0x7fb35c4fc46d in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #13 0x7fb35b3b1e96 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
    #14 0x7fb35cb2170a in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:209
    #15 0x7fb35cb21553 in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:202
    #16 0x7fb35cb21438 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:176
    #17 0x7fb35a865f1e in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:165
    #18 0x7fb3594b0b38 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:271
    #19 0x7fb34fab1f60 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3798
    #20 0x7fb34fab8902 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3875
    #21 0x7fb34fabbdd2 in XRE_main toolkit/xre/nsAppRunner.cpp:3951
    #22 0x40c28f in do_main(int, char**) browser/app/nsBrowserApp.cpp:174
    #23 0x409cbd in main browser/app/nsBrowserApp.cpp:279
==24623== ABORTING
Stats: 83M malloced (123M for red zones) by 345462 calls
Stats: 4M realloced by 19674 calls
Stats: 60M freed by 216073 calls
Stats: 0M really freed by 0 calls
Stats: 232M (59420 full pages) mmaped in 58 calls
  mmaps   by size class: 8:311277; 9:32764; 10:12285; 11:8188; 12:2048; 13:1536; 14:512; 15:256; 16:512; 17:96; 18:96; 19:8; 20:4;
  mallocs by size class: 8:299824; 9:25280; 10:9735; 11:6534; 12:1589; 13:1202; 14:493; 15:139; 16:466; 17:95; 18:96; 19:5; 20:4;
  frees   by size class: 8:186007; 9:16809; 10:6694; 11:3713; 12:973; 13:891; 14:292; 15:110; 16:407; 17:88; 18:84; 19:3; 20:2;
  rfrees  by size class:
Stats: malloc large: 200 small slow: 1355
Shadow byte and word:
  0x1ff665dc9fe0: 6
  0x1ff665dc9fe0: 06 fb fb fb fb fb fb fb
More shadow bytes:
  0x1ff665dc9fc0: fa fa fa fa fa fa fa fa
  0x1ff665dc9fc8: fa fa fa fa fa fa fa fa
  0x1ff665dc9fd0: 00 00 00 00 00 00 00 00
  0x1ff665dc9fd8: 00 00 00 00 00 00 00 00
=>0x1ff665dc9fe0: 06 fb fb fb fb fb fb fb
  0x1ff665dc9fe8: fb fb fb fb fb fb fb fb
  0x1ff665dc9ff0: fa fa fa fa fa fa fa fa
  0x1ff665dc9ff8: fa fa fa fa fa fa fa fa
  0x1ff665dca000: fa fa fa fa fa fa fa fa

Comment 1

[Mats Palmgren (inactive)]

The wallpaper in bug 769303 fixes it in my local Linux64 asan debug build,
so it's probably the same underlying bug.

Comment 2

[David Bolter [:davidb] (NeedInfo me for attention)]

Thanks Mats. It sounds like there is a plan formulating in that bug - do we know who will implement it?

Comment 3

[Jonathan Kew [:jfkthame]]

We should re-test this now that the patch in bug 769303 has landed, and confirm whether that has fixed the problem.

Comment 4

[Mats Palmgren (inactive)]

I can't reproduce the crash anymore; resolving as fixed by bug 769303.

Comment 5

[Al Billings [:abillings - ex-MoCo]]

Sorry, for the CVE changes. I've decided not to assign a separate CVE since this turns out to be the same underlying issue as bug 769303.

Comment 6

[u279076]

There appears to be plug-in content in the testcase. Does this require a specific plugin/version?

Comment 7

[Mats Palmgren (inactive)]

I can reproduce the ASAN failure without any plug-in at all
in a Linux64 debug (asan) build.  Looking at the test
source: "<embed type=application/l10n>"  I think this is
just a nonsense tag anyway.

The test needs to run a couple of minutes for it to happen.
Resizing the window width seems to make it crash faster.

Comment 8

[u279076]

(In reply to Mats Palmgren [:mats] from comment #7)
> I can reproduce the ASAN failure without any plug-in at all
> in a Linux64 debug (asan) build.  Looking at the test
> source: "<embed type=application/l10n>"  I think this is
> just a nonsense tag anyway.
> 
> The test needs to run a couple of minutes for it to happen.
> Resizing the window width seems to make it crash faster.

Mats, can you please confirm the changeset ID for the build you are reproducing this with so I can use the same?

Comment 9

[Mats Palmgren (inactive)]

Sorry, I don't know the exact rev. but it was most likely up-to-date
at the time of the comment.