Closed Bug 795734 Opened 8 years ago Closed 8 years ago

Out of bounds READ in nsRegion::Or

Categories

(Core :: SVG, defect)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 + fixed
firefox19 + fixed
firefox-esr10 --- unaffected

People

(Reporter: inferno, Assigned: jwatt)

References

Details

(6 keywords, Whiteboard: [asan][fix in bug 807213][adv-main18+])

Attachments

(4 files)

Attached file Testcase
Reproduces on trunk
=================================================================
==26893== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f0296c82090 at pc 0x7f02bcb74d01 bp 0x7fff904f2d10 sp 0x7fff904f2d08
READ of size 4 at 0x7f0296c82090 thread T0
    #0 0x7f02bcb74d00 in nsRegion::Or(nsRegion const&, nsRegion const&) src/gfx/src/nsRegion.cpp:776
    #1 0x7f02c2d6edac in nsSVGOuterSVGFrame::InvalidateSVG(nsRegion const&) src/layout/svg/nsSVGOuterSVGFrame.h:150
    #2 0x7f02c2dc5582 in nsSVGUtils::InvalidateBounds(nsIFrame*, bool, nsRect const*, unsigned int) src/layout/svg/nsSVGUtils.cpp:490
    #3 0x7f02c2dc6043 in nsSVGUtils::InvalidateAndScheduleReflowSVG(nsIFrame*) src/layout/svg/nsSVGUtils.cpp:572
    #4 0x7f02c2c8a9f9 in nsSVGMarkerProperty::DoUpdate() src/layout/svg/nsSVGEffects.cpp:282
    #5 0x7f02c2c898f6 in nsSVGRenderingObserver::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int, nsIContent*) src/layout/svg/nsSVGEffects.cpp:223
    #6 0x7f02bed8ffe9 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, int, nsIContent*) src/content/base/src/nsNodeUtils.cpp:177
    #7 0x7f02beceb2c4 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1364
    #8 0x7f02bf023e0c in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:1008
    #9 0x7f02becd3a47 in nsINode::RemoveChild(nsINode*) src/content/base/src/nsINode.cpp:455
    #10 0x7f02c3d75681 in nsIDOMNode_RemoveChild(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:5476
    #11 0x7f02cf194d9f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:370
    #12 0x7f02cf136b79 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2460
    #13 0x7f02cf082aee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:324
    #14 0x7f02cf1a2566 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:509
    #15 0x7f02cf1a42fb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:546
    #16 0x7f02ce8b7289 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5679
    #17 0x7f02c0bcedee in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1506
    #18 0x7f02c0d87b76 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9621
    #19 0x7f02c0d3f6c4 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9880
    #20 0x7f02c0d85a28 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10147
    #21 0x7f02c88fc972 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473
    #22 0x7f02c88fde7a in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
    #23 0x7f02c88c1580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612
    #24 0x7f02c8553ecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #25 0x7f02c6f9da1d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:117
    #26 0x7f02c8b79e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
    #27 0x7f02c8b79c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
    #28 0x7f02c8b79b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
    #29 0x7f02c6444dda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #30 0x7f02c50779b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290
    #31 0x7f02bb6eaa4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782
    #32 0x7f02bb6f08c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848
    #33 0x7f02bb6f3774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923
    #34 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
    #35 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279
    #36 0x7f02d95e8c4c in ?? ??:0
0x7f0296c82090 is located 16 bytes to the right of 8192-byte region [0x7f0296c80080,0x7f0296c82080)
allocated by thread T0 here:
    #0 0x4c4bb0 in __interceptor_malloc ??:0
    #1 0x7f02d8636fc1 in PR_Malloc src/nsprpub/pr/src/malloc/prmem.c:435
    #2 0x7f02d7d69bb5 in PL_ArenaAllocate src/nsprpub/lib/ds/plarena.c:200
    #3 0x7f02bd13cbd0 in nsPresArena::State::Allocate(unsigned int, unsigned long) src/layout/base/nsPresArena.cpp:342
    #4 0x7f02bd13dada in nsPresArena::AllocateByFrameID(nsQueryFrame::FrameIID, unsigned long) src/layout/base/nsPresArena.cpp:512
    #5 0x7f02bd32e5c0 in nsIPresShell::AllocateFrame(nsQueryFrame::FrameIID, unsigned long) src/layout/svg/../base/nsIPresShell.h:202
    #6 0x7f02be3f53ff in nsScrollbarButtonFrame::operator new(unsigned long, nsIPresShell*) src/layout/xul/base/src/nsScrollbarButtonFrame.cpp:39
    #7 0x7f02be3f51ce in NS_NewScrollbarButtonFrame(nsIPresShell*, nsStyleContext*) src/layout/xul/base/src/nsScrollbarButtonFrame.cpp:36
    #8 0x7f02bcd6c4a7 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3623
    #9 0x7f02bcd84fd9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5555
    #10 0x7f02bcd3d4db in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9818
    #11 0x7f02bcd3f9f4 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9962
    #12 0x7f02bcd6edc2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3748
    #13 0x7f02bcd84fd9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5555
    #14 0x7f02bcd739f1 in nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5068
    #15 0x7f02bcd6067c in nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState&, nsIContent*, nsIFrame*, PendingBinding*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3865
    #16 0x7f02bcd57416 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, nsIAtom*, bool, nsIFrame*&) src/layout/base/nsCSSFrameConstructor.cpp:4244
    #17 0x7f02bcd4ebde in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:2763
    #18 0x7f02bcd49bc5 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*, nsIFrame**) src/layout/base/nsCSSFrameConstructor.cpp:2304
    #19 0x7f02bcd9f887 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) src/layout/base/nsCSSFrameConstructor.cpp:6964
    #20 0x7f02bcd9c33e in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) src/layout/base/nsCSSFrameConstructor.cpp:6849
    #21 0x7f02bd1c5e9f in PresShell::Initialize(int, int) src/layout/base/nsPresShell.cpp:1689
    #22 0x7f02be7ebce9 in nsContentSink::StartLayout(bool) src/content/base/src/nsContentSink.cpp:1181
    #23 0x7f02c1f4d64e in nsHtml5TreeOpExecutor::StartLayout() src/parser/html/nsHtml5TreeOpExecutor.cpp:744
    #24 0x7f02c1f309f2 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:631
Shadow byte and word:
  0x1fe052d90412: fa
  0x1fe052d90410: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fe052d903f0: 00 00 00 00 00 00 00 00
  0x1fe052d903f8: 00 00 00 00 00 00 00 00
  0x1fe052d90400: 00 00 00 00 00 00 00 00
  0x1fe052d90408: 00 00 00 00 00 00 00 00
=>0x1fe052d90410: fa fa fa fa fa fa fa fa
  0x1fe052d90418: fa fa fa fa fa fa fa fa
  0x1fe052d90420: fa fa fa fa fa fa fa fa
  0x1fe052d90428: fa fa fa fa fa fa fa fa
  0x1fe052d90430: fa fa fa fa fa fa fa fa
Stats: 241M malloced (265M for red zones) by 401391 calls
Stats: 41M realloced by 23511 calls
Stats: 213M freed by 282141 calls
Stats: 79M really freed by 201165 calls
Stats: 468M (119893 full pages) mmaped in 117 calls
  mmaps   by size class: 8:311277; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:1024; 17:1248; 18:128; 19:40; 20:20;
  mallocs by size class: 8:336578; 9:32473; 10:8076; 11:15816; 12:2271; 13:1709; 14:1445; 15:331; 16:1173; 17:1311; 18:148; 19:40; 20:20;
  frees   by size class: 8:233306; 9:24000; 10:5004; 11:12793; 12:1486; 13:1426; 14:1266; 15:290; 16:1115; 17:1295; 18:105; 19:38; 20:17;
  rfrees  by size class: 8:180637; 9:7797; 10:1702; 11:8272; 12:534; 13:457; 14:394; 15:176; 16:930; 17:237; 18:24; 19:4; 20:1;
Stats: malloc large: 1519 small slow: 2174
==26893== ABORTING
Attached file Testcase
This looks like a new regression, that is hitting a crazy lot.

=================================================================
==27385== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f89bcae8190 at pc 0x7f89e6f68cff bp 0x7fffa9454750 sp 0x7fffa9454748
READ of size 8 at 0x7f89bcae8190 thread T0
    #0 0x7f89e6f68cfe in nsRegion::RgnRect::RgnRect(nsRegion::RgnRect const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.h:48
    #1 0x7f89e6f318bb in nsRegion::RgnRect::RgnRect(nsRegion::RgnRect const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.h:48
    #2 0x7f89e6f301a6 in nsRegion::Merge(nsRegion const&, nsRegion const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.cpp:526
    #3 0x7f89e6f37f91 in nsRegion::Or(nsRegion const&, nsRegion const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.cpp:784
    #4 0x7f89ed131dac in nsSVGOuterSVGFrame::InvalidateSVG(nsRegion const&) /usr/local/google/home/aarya/firefox/src/layout/svg/nsSVGOuterSVGFrame.h:150
A Linux64 debug build aborts the 1st test with:
###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file layout/svg/nsSVGUtils.cpp, line 385
Attached file stack for 2nd testcase
Same abort for the 2nd testcase.
Looks similar to bug 792857.  Once that bug is fixed we should investigate
if the assertions in the 1st test is a separate problem:
###!!! ASSERTION: Shouldn't be trying to restyle non-elements directly: '!aContent || aContent->IsElement()', file layout/base/nsStyleChangeList.cpp, line 65
###!!! ASSERTION: aFrame's content should be an element: 'aFrame->GetContent()->IsElement()', file layout/svg/nsSVGEffects.cpp, line 480
Severity: normal → critical
Component: General → SVG
Depends on: CVE-2012-5836
Product: Firefox → Core
Whiteboard: [asan]
Version: Trunk → unspecified
I think this and https://bugzilla.mozilla.org/show_bug.cgi?id=795740 and many other different stacks i am seeing all have svg markers in common. I think something regressed there really badly and crashing all over the place.
Abhishek: we did land "DBLI" that has regressed a bunch of stuff since late September -- that explains some of these bugs, but not ones like bug 792857 that existed in Firefox 15 (and maybe before?)
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Abhishek: we did land "DBLI" that has regressed a bunch of stuff since late
> September -- that explains some of these bugs, but not ones like bug 792857
> that existed in Firefox 15 (and maybe before?)

Sorry, what is DBLI ? Yes, all these regressions were new, in fact, i had to disable svg markers to turn the noise down.
DLBI is bug 539356.

This stack looks very similar to the one in bug 798010, and the timing for this one is right for it to also be a regression from dlbi, so it could be dupe of this one. The second test case here looks vaguely similar
Assignee: nobody → jwatt
Actually we don't know that 17 is unaffected yet
No longer blocks: dlbi
Keywords: regression
(In reply to Andrew McCreight [:mccr8] from comment #8)
> This stack looks very similar to the one in bug 798010, and the timing for
> this one is right for it to also be a regression from dlbi

Or a pre-existing issue that is more likely to happen because dlbi changed the order or timing of something...
I have a fix for this in bug 807213.
Whiteboard: [asan] → [asan][fix in bug 807213]
The fix in bug 807213 has now landed for 19, 18 and 17.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Is 16 unaffected by this bug?
Whiteboard: [asan][fix in bug 807213] → [asan][fix in bug 807213][adv-track-main17+]
Flags: sec-bounty?
Summary: Heap-buffer-overflow in nsRegion::Or → Out of bounds READ in nsRegion::Or
(In reply to Al Billings [:abillings] from comment #14)
> Is 16 unaffected by this bug?

yes.
This bug qualifies for a security bug bounty.
Depends on: 807213
No longer depends on: CVE-2012-5836
Flags: sec-bounty? → sec-bounty+
Duplicate of this bug: 795740
Duplicate of this bug: 798010
Whiteboard: [asan][fix in bug 807213][adv-track-main17+] → [asan][fix in bug 807213][adv-main17+]
Whiteboard: [asan][fix in bug 807213][adv-main17+] → [asan][fix in bug 807213][adv-main18+]
Alias: CVE-2013-0764
Duplicate of this bug: 802638
Alias: CVE-2013-0764
Group: core-security
Blocks: dlbi
Keywords: regression
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.