Closed
Bug 832646
Opened 12 years ago
Closed 12 years ago
Crash on invalid address in CalculateUTF8Size::write
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox20 | --- | unaffected |
firefox21 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: inferno, Assigned: bholley)
References
Details
(6 keywords, Whiteboard: [asan][sg:dupe 832435][adv-main21-])
Attachments
(1 file)
403 bytes,
text/html
|
Details |
In debug, crashes on JS_ASSERT(JSVAL_IS_STRING(v));
In release, crashes here.
>==27012== ERROR: AddressSanitizer: SEGV on unknown address 0x7f12cb900000 (pc 0x7f130419120e sp 0x7ffff9db2cc0 bp 0x7ffff9db2f70 T0)
>AddressSanitizer can not provide additional info.
> #0 0x7f130419120d in CalculateUTF8Size::write(unsigned short const*, unsigned int) src/../../../dist/include/nsUTF8Utils.h:574
> #1 0x7f1304190d04 in nsCharSinkTraits<CalculateUTF8Size>::write(CalculateUTF8Size&, unsigned short const*, unsigned int) src/../../../dist/include/nsCharTraits.h:673
> #2 0x7f130417909a in CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&) src/../../../dist/include/nsAlgorithm.h:92
> #3 0x7f130417a81f in ToNewUTF8String(nsAString_internal const&, unsigned int*) src/xpcom/string/src/nsReadableUtils.cpp:266
> #4 0x7f12fb2d0124 in nsJSThunk::EvaluateScript(nsIChannel*, PopupControlState, unsigned int, nsPIDOMWindow*) src/dom/src/jsurl/nsJSProtocolHandler.cpp:369
> #5 0x7f12fb2db904 in nsJSChannel::EvaluateScript() src/dom/src/jsurl/nsJSProtocolHandler.cpp:731
> #6 0x7f12fb2f66b2 in nsRunnableMethodImpl<void (nsJSChannel::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
> #7 0x7f13040124cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #8 0x7f1303c86e55 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #9 0x7f130109788c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #10 0x7f13043098e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #11 0x7f1304309719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #12 0x7f13043095ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #13 0x7f1300451a77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #14 0x7f12fef5d425 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #15 0x7f12f41c5a04 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #16 0x7f12f41cb5ea in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #17 0x7f12f41ce3c0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #18 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #19 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
> #20 0x7f13169f076c in
>Stats: 257M malloced (3610M for red zones) by 451929 calls
>Stats: 48M realloced by 25636 calls
>Stats: 230M freed by 305625 calls
>Stats: 217M really freed by 274349 calls
>Stats: 1589M (1589M-0M) mmaped; 397 maps, 0 unmaps
> mmaps by size class: 13:177664; 14:1024; 15:256; 16:448; 17:736; 18:48; 19:40; 20:24;
> mallocs by size class: 13:445919; 14:2458; 15:510; 16:1531; 17:1371; 18:75; 19:42; 20:23;
> frees by size class: 13:300119; 14:2212; 15:380; 16:1447; 17:1351; 18:57; 19:39; 20:20;
> rfrees by size class: 13:269156; 14:2164; 15:365; 16:1200; 17:1349; 18:56; 19:39; 20:20;
>Stats: malloc large: 1511 small slow: 29081
>Stats: StackDepot: 0 ids; 0M mapped
>==27012== ABORTING
>
>
>
Comment 1•12 years ago
|
||
Regression from bug 824864? This cset in particular: http://hg.mozilla.org/mozilla-central/diff/3cb7ad47f6d9/dom/src/jsurl/nsJSProtocolHandler.cpp changed 'result' from being 'nsString' to 'nsDependentJSString'. http://hg.mozilla.org/mozilla-central/annotate/01a8559f5560/dom/src/jsurl/nsJSProtocolHandler.cpp#l369
Severity: normal → critical
Component: General → DOM
Product: Firefox → Core
Whiteboard: [asan]
Blocks: 824864
Comment 2•12 years ago
|
||
Related to bug 832599 ?
Comment 3•12 years ago
|
||
Or bug 832435, about compartment mismatches with javascript: urls? There's a patch there, does it address this bug?
Assignee: nobody → bobbyholley+bmo
Flags: sec-bounty?
Comment 5•12 years ago
|
||
Presumably fixed now if it is a dupe -- needs verification.
Status: NEW → RESOLVED
Closed: 12 years ago
status-b2g18:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → unaffected
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][sg:dupe 832435]
Comment 6•12 years ago
|
||
non-qual for the bounty. ollie found 832435 a day before this one.
Flags: sec-bounty? → sec-bounty-
Updated•11 years ago
|
Whiteboard: [asan][sg:dupe 832435] → [asan][sg:dupe 832435][adv-main21-]
Updated•11 years ago
|
Group: core-security
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
Updated•1 month ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•