Closed
Bug 795740
Opened 12 years ago
Closed 12 years ago
Heap-buffer-overflow in nsMappedAttributes::GetAttr
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 795734
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | + | fixed |
firefox19 | + | fixed |
firefox-esr10 | - | unaffected |
People
(Reporter: inferno, Assigned: jwatt)
References
Details
(6 keywords, Whiteboard: [asan][fix in bug 807213][adv-main18-])
Attachments
(2 files)
Reproduces on trunk. ================================================================= ==30432== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fce25491bb0 at pc 0x7fce50e73144 bp 0x7fff374f4370 sp 0x7fff374f4368 READ of size 8 at 0x7fce25491bb0 thread T0 #0 0x7fce50e73143 in nsAttrName::Equals(nsIAtom*) const src/content/base/src/nsAttrName.h:107 #1 0x7fce514afb59 in nsMappedAttributes::GetAttr(nsIAtom*) const src/content/base/src/nsMappedAttributes.cpp:112 #2 0x7fce50e72546 in nsAttrAndChildArray::GetAttr(nsIAtom*, int) const src/content/base/src/nsAttrAndChildArray.cpp:308 #3 0x7fce513e8ba7 in nsGenericElement::AttrValueIs(int, nsIAtom*, nsAString_internal const&, nsCaseTreatment) const src/content/base/src/nsGenericElement.cpp:2180 #4 0x7fce5437f54c in nsEditor::IsMozEditorBogusNode(nsIContent*) src/editor/libeditor/base/nsEditor.cpp:3752 #5 0x7fce542deb6d in nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) src/editor/libeditor/text/nsTextEditRules.cpp:1105 #6 0x7fce54a4b38f in nsHTMLEditRules::DocumentModifiedWorker() src/editor/libeditor/html/nsHTMLEditRules.cpp:8850 #7 0x7fce54a4c35e in nsRunnableMethodImpl<void (nsHTMLEditRules::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:349 #8 0x7fce50feac4c in nsContentUtils::RemoveScriptBlocker() src/content/base/src/nsContentUtils.cpp:5021 #9 0x7fce4f55b35e in ~nsAutoScriptBlocker src/../../../dist/include/nsContentUtils.h:2275 #10 0x7fce4f5450a6 in ~nsAutoScriptBlocker src/../../../dist/include/nsContentUtils.h:2274 #11 0x7fce51205af5 in nsDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) src/content/base/src/nsDocument.cpp:6371 #12 0x7fce56486cd6 in nsIDOMDocument_AdoptNode(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3452 #13 0x7fce618efd9f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:370 #14 0x7fce61891b79 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2460 #15 0x7fce617ddaee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:324 #16 0x7fce618fd566 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:509 #17 0x7fce618ff2fb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:546 #18 0x7fce61012289 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5679 #19 0x7fce53329dee in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1506 #20 0x7fce534e2b76 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9621 #21 0x7fce5349a6c4 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9880 #22 0x7fce534e0a28 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10147 #23 0x7fce5b057972 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473 #24 0x7fce5b058e7a in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556 #25 0x7fce5b01c580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612 #26 0x7fce5acaeecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220 #27 0x7fce596f83b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #28 0x7fce5b2d4e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208 #29 0x7fce5b2d4c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201 #30 0x7fce5b2d4b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175 #31 0x7fce58b9fdda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #32 0x7fce577d29b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290 #33 0x7fce4de45a4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782 #34 0x7fce4de4b8c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848 #35 0x7fce4de4e774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923 #36 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174 #37 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279 #38 0x7fce6bd43c4c in ?? ??:0 0x7fce25491bb0 is located 0 bytes to the right of 48-byte region [0x7fce25491b80,0x7fce25491bb0) allocated by thread T0 here: #0 0x4c4bb0 in __interceptor_malloc ??:0 #1 0x7fce68bcf6da in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57 #2 0x7fce514adde9 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200 #3 0x7fce514adad7 in nsMappedAttributes::Clone(bool) src/content/base/src/nsMappedAttributes.cpp:59 #4 0x7fce50e79a9c in nsAttrAndChildArray::GetModifiableMapped(nsMappedAttributeElement*, nsHTMLStyleSheet*, bool) src/content/base/src/nsAttrAndChildArray.cpp:698 #5 0x7fce50e7e00d in nsAttrAndChildArray::DoSetMappedAttrStyleSheet(nsHTMLStyleSheet*) src/content/base/src/nsAttrAndChildArray.cpp:582 #6 0x7fce513d6792 in nsAttrAndChildArray::SetMappedAttrStyleSheet(nsHTMLStyleSheet*) src/content/base/src/nsAttrAndChildArray.h:103 #7 0x7fce513d44a7 in nsGenericElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/nsGenericElement.cpp:1429 #8 0x7fce52234a18 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:1717 #9 0x7fce51443e7d in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1305 #10 0x7fce5177e9fa in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:998 #11 0x7fce4f3a9abd in nsINode::AppendChildTo(nsIContent*, bool) src/../../../dist/include/nsINode.h:546 #12 0x7fce5467bed0 in nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:184 #13 0x7fce5467ff55 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:233 #14 0x7fce546a2b75 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:564 #15 0x7fce546df259 in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127 #16 0x7fce5b01c580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612 #17 0x7fce5acaeecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220 #18 0x7fce596f83b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #19 0x7fce5b2d4e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208 #20 0x7fce5b2d4c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201 #21 0x7fce5b2d4b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175 #22 0x7fce58b9fdda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #23 0x7fce577d29b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290 #24 0x7fce4de45a4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782 Shadow byte and word: 0x1ff9c4a92376: fb 0x1ff9c4a92370: 00 00 00 00 00 00 fb fb More shadow bytes: 0x1ff9c4a92350: 00 00 00 00 00 00 fb fb 0x1ff9c4a92358: fb fb fb fb fb fb fb fb 0x1ff9c4a92360: fa fa fa fa fa fa fa fa 0x1ff9c4a92368: fa fa fa fa fa fa fa fa =>0x1ff9c4a92370: 00 00 00 00 00 00 fb fb 0x1ff9c4a92378: fb fb fb fb fb fb fb fb 0x1ff9c4a92380: fa fa fa fa fa fa fa fa 0x1ff9c4a92388: fa fa fa fa fa fa fa fa 0x1ff9c4a92390: 00 00 00 00 00 00 fb fb Stats: 248M malloced (291M for red zones) by 513062 calls Stats: 42M realloced by 23898 calls Stats: 215M freed by 285981 calls Stats: 82M really freed by 202117 calls Stats: 472M (120918 full pages) mmaped in 118 calls mmaps by size class: 8:311277; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:1024; 17:1248; 18:144; 19:40; 20:20; mallocs by size class: 8:446029; 9:33587; 10:8439; 11:16310; 12:2367; 13:1796; 14:1471; 15:340; 16:1191; 17:1317; 18:154; 19:41; 20:20; frees by size class: 8:235584; 9:24655; 10:5273; 11:13220; 12:1573; 13:1503; 14:1288; 15:297; 16:1128; 17:1300; 18:105; 19:38; 20:17; rfrees by size class: 8:180868; 9:8332; 10:1728; 11:8347; 12:548; 13:471; 14:415; 15:177; 16:931; 17:271; 18:24; 19:4; 20:1; Stats: malloc large: 1532 small slow: 2427 ==30432== ABORTING
Comment 1•12 years ago
|
||
A Linux64 debug build aborts the test with: ###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file layout/svg/nsSVGUtils.cpp, line 385
Comment 2•12 years ago
|
||
Looks similar to bug 792857.
Severity: normal → critical
Component: General → SVG
Depends on: CVE-2012-5836
Product: Firefox → Core
Whiteboard: [asan]
Reporter | ||
Comment 3•12 years ago
|
||
Can i be cced on 792857
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
Assignee: nobody → jwatt
Updated•12 years ago
|
status-firefox18:
--- → affected
status-firefox19:
--- → affected
tracking-firefox18:
--- → +
tracking-firefox19:
--- → +
Assignee | ||
Comment 4•12 years ago
|
||
I have a fix for this in bug 807213.
Whiteboard: [asan] → [asan][fix in bug 807213]
Assignee | ||
Comment 5•12 years ago
|
||
The fix in bug 807213 has now landed for 19, 18 and 17.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox17:
--- → fixed
Flags: in-testsuite?
Keywords: verifyme
Resolution: --- → FIXED
Comment 6•12 years ago
|
||
(In reply to Jonathan Watt [:jwatt] from comment #5) > The fix in bug 807213 has now landed for 19, 18 and 17. Is the ESR affected by this bug? If so, please prepare a patch and nominate for uplift.
status-firefox-esr10:
--- → ?
tracking-firefox-esr10:
--- → ?
Comment 7•12 years ago
|
||
(Matt will take a look at this along with 802638 to see if we can repro on ESR10)
QA Contact: mwobensmith
Comment 8•12 years ago
|
||
Is 16 affected by this or was this 17 and up only?
Whiteboard: [asan][fix in bug 807213] → [asan][fix in bug 807213][adv-track-main17+]
Assignee | ||
Updated•12 years ago
|
Comment 9•12 years ago
|
||
Confirmed crash in 2012-9-30, nightly build 19.0a1 Confirmed fixed in 2012-11-6, nightly build 19.0a1 Confirmed NO crash in 2012-10-24, build 10.0.10esr Mac 10.8.2, Windows 7 and Ubuntu 11.10
Updated•12 years ago
|
Comment 10•12 years ago
|
||
bug 807213 says 17 fixed and this one says 17 unaffected. Color me confused.
Assignee | ||
Comment 11•12 years ago
|
||
It was checked in on 17 since, although this bug may not be reproducible on 17, there's the potential for the underlying issue fixed in bug 807213 to be exploitable in other (currently unknown) ways.
Comment 12•12 years ago
|
||
This bug is essentially a duplicate of bug 795734, or at least both stem from the same cause: using a frame as the wrong type without checking. Checking in a testcase for this manifestation would still be useful
Updated•12 years ago
|
Whiteboard: [asan][fix in bug 807213][adv-track-main17+] → [asan][fix in bug 807213][adv-main18-]
Updated•12 years ago
|
Group: core-security
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•