Closed Bug 888264 Opened 11 years ago Closed 11 years ago

Heap-use-after-free in mozilla::dom::HTMLFormElement::RemoveImageElement

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 885539

People

(Reporter: inferno, Unassigned)

Details

(Keywords: csectype-uaf, sec-critical, verifyme)

Attachments

(1 file)

Attached file Testcase
==21835== ERROR: AddressSanitizer: heap-use-after-free on address 0x6048008a7188 at pc 0x7f570458217e bp 0x7fffd1f80f50 sp 0x7fffd1f80f48 READ of size 8 at 0x6048008a7188 thread T0 #0 0x7f570458217d in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<mozilla::dom::HTMLImageElement*> >::Hdr() const ../../../../dist/include/nsTArray.h:499 #1 0x7f57045829d1 in nsTArray_Impl<mozilla::dom::HTMLImageElement*, nsTArrayInfallibleAllocator>::Elements() const ../../../../dist/include/nsTArray.h:860 #2 0x7f5704582485 in unsigned int nsTArray_Impl<mozilla::dom::HTMLImageElement*, nsTArrayInfallibleAllocator>::IndexOf<mozilla::dom::HTMLImageElement*, nsDefaultComparator<mozilla::dom::HTMLImageElement*, mozilla::dom::HTMLImageElement*> >(mozilla::dom::HTMLImageElement* const&, unsigned int, nsDefaultComparator<mozilla::dom::HTMLImageElement*, mozilla::dom::HTMLImageElement*> const&) const ../../../../dist/include/nsTArray.h:962 #3 0x7f570455b76f in unsigned int nsTArray_Impl<mozilla::dom::HTMLImageElement*, nsTArrayInfallibleAllocator>::IndexOf<mozilla::dom::HTMLImageElement*>(mozilla::dom::HTMLImageElement* const&, unsigned int) const ../../../../dist/include/nsTArray.h:978 #4 0x7f570455b28a in mozilla::dom::HTMLFormElement::RemoveImageElement(mozilla::dom::HTMLImageElement*) content/html/content/src/HTMLFormElement.cpp:2786 #5 0x7f5703ad265f in mozilla::dom::HTMLImageElement::ClearForm(bool) content/html/content/src/HTMLImageElement.cpp:676 #6 0x7f5702b7e3dc in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:223 #7 0x7f570235476a in mozilla::dom::FragmentOrElement::Release() content/base/src/FragmentOrElement.cpp:1706 #8 0x7f5703ac1bb5 in mozilla::dom::HTMLImageElement::Release() content/html/content/src/HTMLImageElement.cpp:65 #9 0x7f56fdd552e0 in nsCOMPtr_base::~nsCOMPtr_base() objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:450 #10 0x7f56fe354101 in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489 #11 0x7f56fe353ffe in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489 #12 0x7f56fe353efe in nsTArrayElementTraits<nsCOMPtr<nsIContent> >::Destruct(nsCOMPtr<nsIContent>*) ../../dist/include/nsTArray.h:535 #13 0x7f56fe351414 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::DestructRange(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1536 #14 0x7f56fe350d63 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1253 #15 0x7f56fe35065b in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::Clear() ../../dist/include/nsTArray.h:1264 #16 0x7f56fe372327 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() ../../dist/include/nsTArray.h:749 #17 0x7f56fe372221 in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609 #18 0x7f56fe34da4e in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609 #19 0x7f5706a30487 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:91 #20 0x7f5706a2fd57 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:77 #21 0x7f57024ac74f in nsContentSink::Release() content/base/src/nsContentSink.cpp:58 #22 0x7f5706a2efd5 in nsHtml5TreeOpExecutor::Release() parser/html/nsHtml5TreeOpExecutor.cpp:49 #23 0x7f57068f1360 in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880 #24 0x7f57068e509e in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878 #25 0x7f57068e4b77 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:51 #26 0x7f57068e4797 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:46 #27 0x7f57068e156f in nsHtml5Parser::Release() parser/html/nsHtml5Parser.cpp:20 #28 0x7f57069319f0 in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880 #29 0x7f570690ff0e in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878 #30 0x7f570690fc27 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:220 #31 0x7f570690f847 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:204 #32 0x7f570690a50f in nsHtml5StreamParser::Release() parser/html/nsHtml5StreamParser.cpp:73 #33 0x7f5706934c6e in nsHtml5RefPtrReleaser<nsHtml5StreamParser>::Run() parser/html/nsHtml5RefPtr.h:22 #34 0x7f570ee44bb7 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:626 #35 0x7f570eaaef12 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 #36 0x7f5708e115c1 in nsXULWindow::ShowModal() xpfe/appshell/src/nsXULWindow.cpp:364 #37 0x7f5708dba527 in nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:523 #38 0x7f5708dba6d8 in non-virtual thunk to nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:524 #39 0x7f5708b9eb16 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1005 #40 0x7f5708b92e84 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344 #41 0x7f570ef6e59b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162 #42 0x7f570846de60 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2804 #43 0x7f570846de60 in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2142 #44 0x7f570846de60 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2108 #45 0x7f57084c647f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1350 #46 0x7f571663367c in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:321 #47 0x7f571663367c in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:481 #48 0x7f5716612832 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2296 #49 0x7f57165c117e in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:438 #50 0x7f5716633d04 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:500 #51 0x7f5716637bff in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/vm/Interpreter.cpp:531 #52 0x7f5716c55cb8 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5755 #53 0x7f570842d5d5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1436 #54 0x7f57083f9c2b in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:589 #55 0x7f570ef73c44 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 #56 0x7f570ef70cfa in SharedStub 0x6048008a7188 is located 392 bytes inside of 504-byte region [0x6048008a7000,0x6048008a71f8) freed by thread T0 here: #0 0x41a9e2 in __interceptor_free #1 0x7f571f9af6de in moz_free memory/mozalloc/mozalloc.cpp:48 #2 0x7f5704515e59 in operator delete(void*) ../../../../dist/include/mozilla/mozalloc.h:225 #3 0x7f5704515e59 in mozilla::dom::HTMLFormElement::~HTMLFormElement() content/html/content/src/HTMLFormElement.cpp:259 #4 0x7f5702b7e965 in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:265 #5 0x7f570235476a in mozilla::dom::FragmentOrElement::Release() content/base/src/FragmentOrElement.cpp:1706 #6 0x7f5704519e75 in mozilla::dom::HTMLFormElement::Release() content/html/content/src/HTMLFormElement.cpp:326 #7 0x7f56fdd552e0 in nsCOMPtr_base::~nsCOMPtr_base() objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:450 #8 0x7f56fe354101 in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489 #9 0x7f56fe353ffe in nsCOMPtr<nsIContent>::~nsCOMPtr() ../../dist/include/nsCOMPtr.h:489 #10 0x7f56fe353efe in nsTArrayElementTraits<nsCOMPtr<nsIContent> >::Destruct(nsCOMPtr<nsIContent>*) ../../dist/include/nsTArray.h:535 #11 0x7f56fe351414 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::DestructRange(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1536 #12 0x7f56fe350d63 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) ../../dist/include/nsTArray.h:1253 #13 0x7f56fe35065b in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::Clear() ../../dist/include/nsTArray.h:1264 #14 0x7f56fe372327 in nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() ../../dist/include/nsTArray.h:749 #15 0x7f56fe372221 in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609 #16 0x7f56fe34da4e in nsTArray<nsCOMPtr<nsIContent> >::~nsTArray() ../../dist/include/nsTArray.h:1609 #17 0x7f5706a30487 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:91 #18 0x7f5706a2fd57 in nsHtml5TreeOpExecutor::~nsHtml5TreeOpExecutor() parser/html/nsHtml5TreeOpExecutor.cpp:77 #19 0x7f57024ac74f in nsContentSink::Release() content/base/src/nsContentSink.cpp:58 #20 0x7f5706a2efd5 in nsHtml5TreeOpExecutor::Release() parser/html/nsHtml5TreeOpExecutor.cpp:49 #21 0x7f57068f1360 in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880 #22 0x7f57068e509e in nsRefPtr<nsHtml5TreeOpExecutor>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878 #23 0x7f57068e4b77 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:51 #24 0x7f57068e4797 in nsHtml5Parser::~nsHtml5Parser() parser/html/nsHtml5Parser.cpp:46 #25 0x7f57068e156f in nsHtml5Parser::Release() parser/html/nsHtml5Parser.cpp:20 #26 0x7f57069319f0 in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:880 #27 0x7f570690ff0e in nsRefPtr<nsHtml5Parser>::~nsRefPtr() ../../dist/include/nsAutoPtr.h:878 #28 0x7f570690fc27 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:220 #29 0x7f570690f847 in nsHtml5StreamParser::~nsHtml5StreamParser() parser/html/nsHtml5StreamParser.cpp:204 #30 0x7f570690a50f in nsHtml5StreamParser::Release() parser/html/nsHtml5StreamParser.cpp:73 previously allocated by thread T0 here: #0 0x41aac2 in malloc #1 0x7f571f9af825 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54 #2 0x7f5704513ae2 in operator new(unsigned long) ../../../../dist/include/mozilla/mozalloc.h:201 #3 0x7f5704513ae2 in NS_NewHTMLFormElement(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/content/src/HTMLFormElement.cpp:67 #4 0x7f570463e1be in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/document/src/nsHTMLContentSink.cpp:498 #5 0x7f570463e9e5 in NS_NewHTMLElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/document/src/nsHTMLContentSink.cpp:481 #6 0x7f5702b5579a in NS_NewElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/base/src/nsNameSpaceManager.cpp:192 #7 0x7f5706a58d6f in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) parser/html/nsHtml5TreeOperation.cpp:350 #8 0x7f5706a36555 in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:557 #9 0x7f5706938342 in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:125 #10 0x7f570ee44bb7 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:626 #11 0x7f570eaaef12 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 #12 0x7f5708e115c1 in nsXULWindow::ShowModal() xpfe/appshell/src/nsXULWindow.cpp:364 #13 0x7f5708dba527 in nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:523 #14 0x7f5708dba6d8 in non-virtual thunk to nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:524 #15 0x7f5708b9eb16 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1005 #16 0x7f5708b92e84 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344 #17 0x7f570ef6e59b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162 #18 0x7f570846de60 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2804 #19 0x7f570846de60 in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2142 #20 0x7f570846de60 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2108 #21 0x7f57084c647f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1350 #22 0x7f571663367c in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:321 #23 0x7f571663367c in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:481 #24 0x7f5716612832 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2296 #25 0x7f57165c117e in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:438 #26 0x7f5716633d04 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:500 #27 0x7f5716637bff in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/vm/Interpreter.cpp:531 #28 0x7f5716c55cb8 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5755 #29 0x7f570842d5d5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1436 #30 0x7f57083f9c2b in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:589 #31 0x7f570ef73c44 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 #32 0x7f570ef70cfa in SharedStub #33 0x7f570ef6e59b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162 Shadow bytes around the buggy address: 0x0c098010cde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c098010cdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c098010ce00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c098010ce10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c098010ce20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c098010ce30: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c098010ce40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c098010ce50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c098010ce60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c098010ce70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c098010ce80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==21835== ABORTING
Is this a dup?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
This should get verified against 24 and 25 ASAN build once bug 885539 lands on those branches.
Keywords: verifyme
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: