Closed Bug 893484 Opened 11 years ago Closed 11 years ago

Heap-use-after-free in mozilla::dom::SVGPolygonElement::GetMarkPoints

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- unaffected
firefox24 --- unaffected
firefox25 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: heycam)

References

Details

(Keywords: csectype-uaf, regression, sec-critical)

Attachments

(2 files)

Testcase
188 bytes, text/html
Details
patch
1.36 KB, patch
jwatt
: review+
Details | Diff | Splinter Review
Attached file Testcase 
Looks like yesterday's regression from http://hg.mozilla.org/mozilla-central/rev/89f980fdb567

==1682==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300031d3f4 at pc 0x7f8518da638c bp 0x7fffbdc0c300 sp 0x7fffbdc0c2f8
WRITE of size 4 at 0x60300031d3f4 thread T0
    #0 0x7f8518da638b in mozilla::dom::SVGPolygonElement::GetMarkPoints(nsTArray<nsSVGMark>*) content/svg/content/src/SVGPolygonElement.cpp:58
    #1 0x7f8518c9d3f9 in nsSVGPathGeometryFrame::GetBBoxContribution(gfxMatrix const&, unsigned int) layout/svg/nsSVGPathGeometryFrame.cpp:452
    #2 0x7f8518c9c19d in nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:314
    #3 0x7f8518c49e35 in nsSVGDisplayContainerFrame::ReflowSVG() layout/svg/nsSVGContainerFrame.cpp:331
    #4 0x7f8518c94aaa in nsSVGOuterSVGFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/svg/nsSVGOuterSVGFrame.cpp:475
    #5 0x7f851744f97b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) layout/generic/nsLineLayout.cpp:830
    #6 0x7f85173473d0 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:3696
    #7 0x7f85173462d6 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3493
    #8 0x7f85173435b1 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3351
    #9 0x7f8517338b23 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2492
    #10 0x7f85173336c1 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
    #11 0x7f8517358692 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:266
    #12 0x7f8517340cc7 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3078
    #13 0x7f8517338dc1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2489
    #14 0x7f85173336c1 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
    #15 0x7f851737ad04 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
    #16 0x7f851736ee10 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:487
    #17 0x7f851737ad04 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
    #18 0x7f85173eba46 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:445
    #19 0x7f85173ec7e7 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:545
    #20 0x7f85173ee901 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:786
    #21 0x7f851737ad04 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
    #22 0x7f8517500351 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:225
    #23 0x7f851728340c in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:7831
    #24 0x7f85172939b2 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:7972
    #25 0x7f851729334e in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:3897
    #26 0x7f85172c1f0c in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1183
    #27 0x7f85172c79c3 in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:171
    #28 0x7f851693636c in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:543
    #29 0x7f8516936896 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:627
    #30 0x7f851692c955 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:621
    #31 0x7f851686973a in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238
    #32 0x7f8515a8cc6c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:81
    #33 0x7f85169d7039 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:219
    #34 0x7f85196f192c in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163
    #35 0x7f85191bb29a in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:269
    #36 0x7f851579286a in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3853
    #37 0x7f85157936a9 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3921
    #38 0x7f8515794519 in XRE_main toolkit/xre/nsAppRunner.cpp:4123
    #39 0x4282a4 in main browser/app/nsBrowserApp.cpp:272
    #40 0x7f851fd3b76c in ?? ??
    #41 0x4275b4 in _start ??
0x60300031d3f4 is located 20 bytes inside of 24-byte region [0x60300031d3e0,0x60300031d3f8)
freed by thread T0 here:
    #0 0x41b577 in realloc
    #1 0x7f851e27241e in moz_xrealloc memory/mozalloc/mozalloc.cpp:86
previously allocated by thread T0 here:
    #0 0x41b432 in malloc
    #1 0x7f851e272388 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
Shadow bytes around the buggy address:
  0x0c068005ba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068005ba30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068005ba40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068005ba50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068005ba60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c068005ba70: fa fa fa fa fa fa fa fa fa fa fa fa fd fd[fd]fa
  0x0c068005ba80: fa fa 00 00 02 fa fa fa 00 00 02 fa fa fa 00 00
  0x0c068005ba90: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005baa0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005bab0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005bac0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1682==ABORTING
Better stack, includes free stack frames::
>==18292==ERROR: AddressSanitizer: heap-use-after-free on address 0x619003223e14 at pc 0x7fbc7e22bf60 bp 0x7fffb7b07850 sp 0x7fffb7b07848
>WRITE of size 4 at 0x619003223e14 thread T0
>    #0 0x7fbc7e22bf5f in mozilla::dom::SVGPolygonElement::GetMarkPoints(nsTArray<nsSVGMark>*) content/svg/content/src/SVGPolygonElement.cpp:58
>    #1 0x7fbc7dd97c2a in nsSVGPathGeometryFrame::GetBBoxContribution(gfxMatrix const&, unsigned int) layout/svg/nsSVGPathGeometryFrame.cpp:452
>    #2 0x7fbc7dd95fc5 in nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:314
>    #3 0x7fbc7dd96948 in non-virtual thunk to nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:340
>    #4 0x7fbc7dc8a7bb in nsSVGDisplayContainerFrame::ReflowSVG() layout/svg/nsSVGContainerFrame.cpp:331
>    #5 0x7fbc7dd80d75 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/svg/nsSVGOuterSVGFrame.cpp:475
>    #6 0x7fbc77a8876e in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) layout/generic/nsLineLayout.cpp:830
>    #7 0x7fbc77726289 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:3696
>    #8 0x7fbc77720f44 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3493
>    #9 0x7fbc77715012 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3351
>    #10 0x7fbc77705922 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2492
>    #11 0x7fbc776ef57d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2011
>    #12 0x7fbc776e2ccc in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
>    #13 0x7fbc777659a8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:266
>    #14 0x7fbc7770fd42 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3078
>    #15 0x7fbc77705667 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2489
>    #16 0x7fbc776ef57d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2011
>    #17 0x7fbc776e2ccc in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
>    #18 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #19 0x7fbc777a1807 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:487
>    #20 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #21 0x7fbc77931451 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:445
>    #22 0x7fbc779355d0 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:545
>    #23 0x7fbc77939a95 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:786
>    #24 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #25 0x7fbc77d1341e in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:225
>    #26 0x7fbc7746c1f2 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:7831
>    #27 0x7fbc77499231 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:7972
>    #28 0x7fbc774979ed in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:3897
>    #29 0x7fbc77545e82 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1183
>    #30 0x7fbc77574f5a in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:171
>    #31 0x7fbc7757446e in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:163
>    #32 0x7fbc7757397a in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) layout/base/nsRefreshDriver.cpp:188
>    #33 0x7fbc74c78212 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:543
>    #34 0x7fbc74c7977a in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:627
>    #35 0x7fbc74c41fab in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:621
>    #36 0x7fbc7485cce2 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #37 0x7fbc7f3a897b in nsXULWindow::ShowModal() xpfe/appshell/src/nsXULWindow.cpp:364
>    #38 0x7fbc7f351a17 in nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:523
>    #39 0x7fbc7f351bc8 in non-virtual thunk to nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:524
>    #40 0x7fbc7f13c1bc in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1005
>    #41 0x7fbc7f130514 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
>    #42 0x7fbc74d97b7b in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
>    #43 0x7fbc7ea29a30 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2795
>    #44 0x7fbc7ea29a30 in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2133
>    #45 0x7fbc7ea29a30 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2099
>    #46 0x7fbc7ea8219f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1315
>    #47 0x7fbc88223a8c in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:225
>    #48 0x7fbc88223a8c in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:478
>    #49 0x7fbc88202c50 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2503
>    #50 0x7fbc881b1596 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:435
>    #51 0x7fbc88224117 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:497
>    #52 0x7fbc88227fd3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:528
>    #53 0x7fbc88b14294 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5757
>    #54 0x7fbc7e9e9680 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1437
>    #55 0x7fbc7e9b498b in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:590
>    #56 0x7fbc74d9d374 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>    #57 0x7fbc74d9a42a in SharedStub
>0x619003223e14 is located 20 bytes inside of 24-byte region [0x619003223e00,0x619003223e18)
>freed by thread T0 here:
>    #0 0x41a817 in realloc
>    #1 0x7fbc91769279 in moz_xrealloc memory/mozalloc/mozalloc.cpp:86
>    #2 0x7fbc6fb6d28b in nsTArrayInfallibleAllocator::Realloc(void*, unsigned long) objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsTArray.h:205
>    #3 0x7fbc7e14f06f in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<nsSVGMark> >::EnsureCapacity(unsigned int, unsigned int) ../../../../dist/include/nsTArray-inl.h:170
>    #4 0x7fbc7e14dc53 in nsSVGMark* nsTArray_Impl<nsSVGMark, nsTArrayInfallibleAllocator>::AppendElements<nsSVGMark>(nsSVGMark const*, unsigned int) ../../../../dist/include/nsTArray.h:1186
>    #5 0x7fbc7e14ca20 in nsSVGMark* nsTArray_Impl<nsSVGMark, nsTArrayInfallibleAllocator>::AppendElement<nsSVGMark>(nsSVGMark const&) ../../../../dist/include/nsTArray.h:1203
>    #6 0x7fbc7e22bed7 in mozilla::dom::SVGPolygonElement::GetMarkPoints(nsTArray<nsSVGMark>*) content/svg/content/src/SVGPolygonElement.cpp:56
>    #7 0x7fbc7dd97c2a in nsSVGPathGeometryFrame::GetBBoxContribution(gfxMatrix const&, unsigned int) layout/svg/nsSVGPathGeometryFrame.cpp:452
>    #8 0x7fbc7dd95fc5 in nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:314
>    #9 0x7fbc7dd96948 in non-virtual thunk to nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:340
>    #10 0x7fbc7dc8a7bb in nsSVGDisplayContainerFrame::ReflowSVG() layout/svg/nsSVGContainerFrame.cpp:331
>    #11 0x7fbc7dd80d75 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/svg/nsSVGOuterSVGFrame.cpp:475
>    #12 0x7fbc77a8876e in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) layout/generic/nsLineLayout.cpp:830
>    #13 0x7fbc77726289 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:3696
>    #14 0x7fbc77720f44 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3493
>    #15 0x7fbc77715012 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3351
>    #16 0x7fbc77705922 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2492
>    #17 0x7fbc776ef57d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2011
>    #18 0x7fbc776e2ccc in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
>    #19 0x7fbc777659a8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:266
>    #20 0x7fbc7770fd42 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3078
>    #21 0x7fbc77705667 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2489
>    #22 0x7fbc776ef57d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2011
>    #23 0x7fbc776e2ccc in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
>    #24 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #25 0x7fbc777a1807 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:487
>    #26 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #27 0x7fbc77931451 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:445
>    #28 0x7fbc779355d0 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:545
>    #29 0x7fbc77939a95 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:786
>previously allocated by thread T0 here:
>    #0 0x41a6d2 in malloc
>    #1 0x7fbc91768825 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
>    #2 0x7fbc6fb6c85e in nsTArrayInfallibleAllocator::Malloc(unsigned long) objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsTArray.h:201
>    #3 0x7fbc7e14e6a3 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<nsSVGMark> >::EnsureCapacity(unsigned int, unsigned int) ../../../../dist/include/nsTArray-inl.h:119
>    #4 0x7fbc7e14dc53 in nsSVGMark* nsTArray_Impl<nsSVGMark, nsTArrayInfallibleAllocator>::AppendElements<nsSVGMark>(nsSVGMark const*, unsigned int) ../../../../dist/include/nsTArray.h:1186
>    #5 0x7fbc7e14ca20 in nsSVGMark* nsTArray_Impl<nsSVGMark, nsTArrayInfallibleAllocator>::AppendElement<nsSVGMark>(nsSVGMark const&) ../../../../dist/include/nsTArray.h:1203
>    #6 0x7fbc7e41ddc2 in nsSVGPolyElement::GetMarkPoints(nsTArray<nsSVGMark>*) content/svg/content/src/nsSVGPolyElement.cpp:83
>    #7 0x7fbc7e22b590 in mozilla::dom::SVGPolygonElement::GetMarkPoints(nsTArray<nsSVGMark>*) content/svg/content/src/SVGPolygonElement.cpp:41
>    #8 0x7fbc7dd97c2a in nsSVGPathGeometryFrame::GetBBoxContribution(gfxMatrix const&, unsigned int) layout/svg/nsSVGPathGeometryFrame.cpp:452
>    #9 0x7fbc7dd95fc5 in nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:314
>    #10 0x7fbc7dd96948 in non-virtual thunk to nsSVGPathGeometryFrame::ReflowSVG() layout/svg/nsSVGPathGeometryFrame.cpp:340
>    #11 0x7fbc7dc8a7bb in nsSVGDisplayContainerFrame::ReflowSVG() layout/svg/nsSVGContainerFrame.cpp:331
>    #12 0x7fbc7dd80d75 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/svg/nsSVGOuterSVGFrame.cpp:475
>    #13 0x7fbc77a8876e in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) layout/generic/nsLineLayout.cpp:830
>    #14 0x7fbc77726289 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) layout/generic/nsBlockFrame.cpp:3696
>    #15 0x7fbc77720f44 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) layout/generic/nsBlockFrame.cpp:3493
>    #16 0x7fbc77715012 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3351
>    #17 0x7fbc77705922 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2492
>    #18 0x7fbc776ef57d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2011
>    #19 0x7fbc776e2ccc in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
>    #20 0x7fbc777659a8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:266
>    #21 0x7fbc7770fd42 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3078
>    #22 0x7fbc77705667 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:2489
>    #23 0x7fbc776ef57d in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2011
>    #24 0x7fbc776e2ccc in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1010
>    #25 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #26 0x7fbc777a1807 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:487
>    #27 0x7fbc777d0e99 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:970
>    #28 0x7fbc77931451 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:445
>    #29 0x7fbc779355d0 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:545
>Shadow bytes around the buggy address:
>  0x0c328063c770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x0c328063c7c0: fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c328063c810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>==18292==ABORTING
>
>
Component: General → SVG
Product: Firefox → Core
Looks like I'm grabbing a pointer to one of the entries in aMarks, then appending another item to it, and that reallocates the buffer.
Attached patch patchSplinter Review 
Assignee: nobody → cam
Status: NEW → ASSIGNED

        Attachment #775529 -
        Flags: review?(jwatt)

        Attachment #775529 -
        Flags: review?(jwatt) → review+

    
    

    
  
Is this a regression?  What branches does it affect?

    
    

    
  
It's a new bug introduced by bug 879659 a few days ago. Only Trunk is affected.

          status-firefox22:
          --- → unaffected

          status-firefox23:
          --- → unaffected

          status-firefox24:
          --- → unaffected

          status-firefox25:
          --- → affected

    
    

    
  
Thanks!
Blocks: 879659
Keywords: csec-uaf, 
          
            regression, 
          
            sec-critical

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/874daff14871

Please be sure to land the test.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago

          status-firefox25:
          affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: