Closed
Bug 888264
Opened 11 years ago
Closed 11 years ago
Heap-use-after-free in mozilla::dom::HTMLFormElement::RemoveImageElement
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 885539
People
(Reporter: inferno, Unassigned)
Details
(Keywords: csectype-uaf, sec-critical, verifyme)
Attachments
(1 file)
18.73 KB,
text/html
|
Details |
==21835== ERROR: AddressSanitizer: heap-use-after-free on address 0x6048008a7188 at pc 0x7f570458217e bp 0x7fffd1f80f50 sp 0x7fffd1f80f48
READ of size 8 at 0x6048008a7188 thread T0
#0 0x7f570458217d in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<mozilla::dom::HTMLImageElement*> >::Hdr() const ../../../../dist/include/nsTArray.h:499
#1 0x7f57045829d1 in nsTArray_Impl<mozilla::dom::HTMLImageElement*, nsTArrayInfallibleAllocator>::Elements() const ../../../../dist/include/nsTArray.h:860
#2 0x7f5704582485 in unsigned int nsTArray_Impl<mozilla::dom::HTMLImageElement*, nsTArrayInfallibleAllocator>::IndexOf<mozilla::dom::HTMLImageElement*, nsDefaultComparator<mozilla::dom::HTMLImageElement*, mozilla::dom::HTMLImageElement*> >(mozilla::dom::HTMLImageElement* const&, unsigned int, nsDefaultComparator<mozilla::dom::HTMLImageElement*, mozilla::dom::HTMLImageElement*> const&) const ../../../../dist/include/nsTArray.h:962
#3 0x7f570455b76f in unsigned int nsTArray_Impl<mozilla::dom::HTMLImageElement*, nsTArrayInfallibleAllocator>::IndexOf<mozilla::dom::HTMLImageElement*>(mozilla::dom::HTMLImageElement* const&, unsigned int) const ../../../../dist/include/nsTArray.h:978
#4 0x7f570455b28a in mozilla::dom::HTMLFormElement::RemoveImageElement(mozilla::dom::HTMLImageElement*) content/html/content/src/HTMLFormElement.cpp:2786
#5 0x7f5703ad265f in mozilla::dom::HTMLImageElement::ClearForm(bool) content/html/content/src/HTMLImageElement.cpp:676
#6 0x7f5702b7e3dc in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:223
#7 0x7f570235476a in mozilla::dom::FragmentOrElement::Release() content/base/src/FragmentOrElement.cpp:1706
#8 0x7f5703ac1bb5 in mozilla::dom::HTMLImageElement::Release() content/html/content/src/HTMLImageElement.cpp:65
#9 0x7f56fdd552e0 in nsCOMPtr_base::~nsCOMPtr_base() objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:450
#10 0x7f56fe354101 in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489
#11 0x7f56fe353ffe in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489
#12 0x7f56fe353efe in nsTArrayElementTraits<nsCOMPtr<nsIContent> >::Destruct(nsCOMPtr<nsIContent>*) ../../dist/include/nsTArray.h:535
#13 0x7f56fe351414 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::DestructRange(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1536
#14 0x7f56fe350d63 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1253
#15 0x7f56fe35065b in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::Clear() ../../dist/include/nsTArray.h:1264
#16 0x7f56fe372327 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() ../../dist/include/nsTArray.h:749
#17 0x7f56fe372221 in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609
#18 0x7f56fe34da4e in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609
#19 0x7f5706a30487 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:91
#20 0x7f5706a2fd57 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:77
#21 0x7f57024ac74f in nsContentSink::Release() content/base/src/nsContentSink.cpp:58
#22 0x7f5706a2efd5 in nsHtml5TreeOpExecutor::Release() parser/html/nsHtml5TreeOpExecutor.cpp:49
#23 0x7f57068f1360 in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880
#24 0x7f57068e509e in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878
#25 0x7f57068e4b77 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:51
#26 0x7f57068e4797 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:46
#27 0x7f57068e156f in nsHtml5Parser::Release() parser/html/nsHtml5Parser.cpp:20
#28 0x7f57069319f0 in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880
#29 0x7f570690ff0e in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878
#30 0x7f570690fc27 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:220
#31 0x7f570690f847 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:204
#32 0x7f570690a50f in nsHtml5StreamParser::Release() parser/html/nsHtml5StreamParser.cpp:73
#33 0x7f5706934c6e in nsHtml5RefPtrReleaser<nsHtml5StreamParser>::Run() parser/html/nsHtml5RefPtr.h:22
#34 0x7f570ee44bb7 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:626
#35 0x7f570eaaef12 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
#36 0x7f5708e115c1 in nsXULWindow::ShowModal() xpfe/appshell/src/nsXULWindow.cpp:364
#37 0x7f5708dba527 in nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:523
#38 0x7f5708dba6d8 in non-virtual thunk to nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:524
#39 0x7f5708b9eb16 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1005
#40 0x7f5708b92e84 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
#41 0x7f570ef6e59b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
#42 0x7f570846de60 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2804
#43 0x7f570846de60 in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2142
#44 0x7f570846de60 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2108
#45 0x7f57084c647f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1350
#46 0x7f571663367c in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:321
#47 0x7f571663367c in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:481
#48 0x7f5716612832 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2296
#49 0x7f57165c117e in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:438
#50 0x7f5716633d04 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:500
#51 0x7f5716637bff in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/vm/Interpreter.cpp:531
#52 0x7f5716c55cb8 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5755
#53 0x7f570842d5d5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1436
#54 0x7f57083f9c2b in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:589
#55 0x7f570ef73c44 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
#56 0x7f570ef70cfa in SharedStub
0x6048008a7188 is located 392 bytes inside of 504-byte region [0x6048008a7000,0x6048008a71f8)
freed by thread T0 here:
#0 0x41a9e2 in __interceptor_free
#1 0x7f571f9af6de in moz_free memory/mozalloc/mozalloc.cpp:48
#2 0x7f5704515e59 in operator delete(void*) ../../../../dist/include/mozilla/mozalloc.h:225
#3 0x7f5704515e59 in mozilla::dom::HTMLFormElement::~HTMLFormElement() content/html/content/src/HTMLFormElement.cpp:259
#4 0x7f5702b7e965 in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:265
#5 0x7f570235476a in mozilla::dom::FragmentOrElement::Release() content/base/src/FragmentOrElement.cpp:1706
#6 0x7f5704519e75 in mozilla::dom::HTMLFormElement::Release() content/html/content/src/HTMLFormElement.cpp:326
#7 0x7f56fdd552e0 in nsCOMPtr_base::~nsCOMPtr_base() objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:450
#8 0x7f56fe354101 in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489
#9 0x7f56fe353ffe in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489
#10 0x7f56fe353efe in nsTArrayElementTraits<nsCOMPtr<nsIContent> >::Destruct(nsCOMPtr<nsIContent>*) ../../dist/include/nsTArray.h:535
#11 0x7f56fe351414 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::DestructRange(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1536
#12 0x7f56fe350d63 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1253
#13 0x7f56fe35065b in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::Clear() ../../dist/include/nsTArray.h:1264
#14 0x7f56fe372327 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() ../../dist/include/nsTArray.h:749
#15 0x7f56fe372221 in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609
#16 0x7f56fe34da4e in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609
#17 0x7f5706a30487 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:91
#18 0x7f5706a2fd57 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:77
#19 0x7f57024ac74f in nsContentSink::Release() content/base/src/nsContentSink.cpp:58
#20 0x7f5706a2efd5 in nsHtml5TreeOpExecutor::Release() parser/html/nsHtml5TreeOpExecutor.cpp:49
#21 0x7f57068f1360 in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880
#22 0x7f57068e509e in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878
#23 0x7f57068e4b77 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:51
#24 0x7f57068e4797 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:46
#25 0x7f57068e156f in nsHtml5Parser::Release() parser/html/nsHtml5Parser.cpp:20
#26 0x7f57069319f0 in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880
#27 0x7f570690ff0e in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878
#28 0x7f570690fc27 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:220
#29 0x7f570690f847 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:204
#30 0x7f570690a50f in nsHtml5StreamParser::Release() parser/html/nsHtml5StreamParser.cpp:73
previously allocated by thread T0 here:
#0 0x41aac2 in malloc
#1 0x7f571f9af825 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
#2 0x7f5704513ae2 in operator new(unsigned long) ../../../../dist/include/mozilla/mozalloc.h:201
#3 0x7f5704513ae2 in NS_NewHTMLFormElement(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/content/src/HTMLFormElement.cpp:67
#4 0x7f570463e1be in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/document/src/nsHTMLContentSink.cpp:498
#5 0x7f570463e9e5 in NS_NewHTMLElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/document/src/nsHTMLContentSink.cpp:481
#6 0x7f5702b5579a in NS_NewElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/base/src/nsNameSpaceManager.cpp:192
#7 0x7f5706a58d6f in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) parser/html/nsHtml5TreeOperation.cpp:350
#8 0x7f5706a36555 in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:557
#9 0x7f5706938342 in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:125
#10 0x7f570ee44bb7 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:626
#11 0x7f570eaaef12 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
#12 0x7f5708e115c1 in nsXULWindow::ShowModal() xpfe/appshell/src/nsXULWindow.cpp:364
#13 0x7f5708dba527 in nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:523
#14 0x7f5708dba6d8 in non-virtual thunk to nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:524
#15 0x7f5708b9eb16 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1005
#16 0x7f5708b92e84 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
#17 0x7f570ef6e59b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
#18 0x7f570846de60 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2804
#19 0x7f570846de60 in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2142
#20 0x7f570846de60 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2108
#21 0x7f57084c647f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1350
#22 0x7f571663367c in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:321
#23 0x7f571663367c in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:481
#24 0x7f5716612832 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2296
#25 0x7f57165c117e in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:438
#26 0x7f5716633d04 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:500
#27 0x7f5716637bff in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/vm/Interpreter.cpp:531
#28 0x7f5716c55cb8 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5755
#29 0x7f570842d5d5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1436
#30 0x7f57083f9c2b in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:589
#31 0x7f570ef73c44 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
#32 0x7f570ef70cfa in SharedStub
#33 0x7f570ef6e59b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
Shadow bytes around the buggy address:
0x0c098010cde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c098010cdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c098010ce00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c098010ce10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c098010ce20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c098010ce30: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c098010ce40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c098010ce50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c098010ce60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c098010ce70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c098010ce80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==21835== ABORTING
Comment 1•11 years ago
|
||
Is this a dup?
Comment 2•11 years ago
|
||
Dup of bug 885539
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Keywords: csec-uaf,
sec-critical
Comment 4•11 years ago
|
||
This should get verified against 24 and 25 ASAN build once bug 885539 lands on those branches.
Keywords: verifyme
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•