Closed Bug 981424 Opened 6 years ago Closed 6 years ago

Heap-use-after-free in nsHtml5TreeOperation::CreateElement

Categories

(Core :: General, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 981279

People

(Reporter: attekett, Unassigned)

Details

Attachments

(1 file)

Attached file Repro-file
Tested on:

OS: Ubuntu 12.04 x64

Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1394359324//firefox-30.0a1.en-US.linux-x86_64-asan.tar.bz2


To reproduce open the attached Repro-file with ASAN Firefox. This issue seems to be pretty new regression, because it didn't reproduce on around month old Firefox ASAN-build.

There is another new bug with similar stack trace in https://bugzilla.mozilla.org/show_bug.cgi?id=981413


ASAN-report:

==391==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000270310 at pc 0x7f5349cf03cb bp 0x7fff96d568b0 sp 0x7fff96d568a8
READ of size 8 at 0x604000270310 thread T0
    #0 0x7f5349cf03ca in Reget /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeOperation.h:110:0
    #1 0x7f5349cf03ca in nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeOperation.cpp:425:0
    #2 0x7f5349cda65c in nsHtml5TreeBuilder::createElement(int, nsIAtom*, nsHtml5HtmlAttributes*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilderCppSupplement.h:80:0
    #3 0x7f5349ce56c0 in nsHtml5TreeBuilder::appendToCurrentNodeAndPushFormattingElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilder.cpp:3909:0
    #4 0x7f5349c90f01 in nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilder.cpp:1126:0
    #5 0x7f5349c7f55d in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:315:0
    #6 0x7f5349cc7f63 in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:838:0
.
.
.
0x604000270310 is located 0 bytes inside of 40-byte region [0x604000270310,0x604000270338)
freed by thread T0 here:
    #0 0x446255 in __interceptor_free _asan_rtl_:0
    #1 0x7f5349c58425 in ~nsHtml5Atom /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/mozilla/mozalloc.h:225:0
    #2 0x7f5349c58425 in ~nsAutoPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/nsAutoPtr.h:78:0
    #3 0x7f5349c58425 in ~nsAutoPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/nsAutoPtr.h:77:0
    #4 0x7f5349c58425 in ~nsHtml5AtomEntry /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5AtomTable.cpp:24:0
    #5 0x7f5349c58425 in nsTHashtable<nsHtml5AtomEntry>::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/nsTHashtable.h:449:0
.
.
.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 981279
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.