Closed
Bug 981424
Opened 10 years ago
Closed 10 years ago
Heap-use-after-free in nsHtml5TreeOperation::CreateElement
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 981279
People
(Reporter: attekett, Unassigned)
Details
Attachments
(1 file)
1.34 KB,
text/html
|
Details |
Tested on: OS: Ubuntu 12.04 x64 Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1394359324//firefox-30.0a1.en-US.linux-x86_64-asan.tar.bz2 To reproduce open the attached Repro-file with ASAN Firefox. This issue seems to be pretty new regression, because it didn't reproduce on around month old Firefox ASAN-build. There is another new bug with similar stack trace in https://bugzilla.mozilla.org/show_bug.cgi?id=981413 ASAN-report: ==391==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000270310 at pc 0x7f5349cf03cb bp 0x7fff96d568b0 sp 0x7fff96d568a8 READ of size 8 at 0x604000270310 thread T0 #0 0x7f5349cf03ca in Reget /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeOperation.h:110:0 #1 0x7f5349cf03ca in nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeOperation.cpp:425:0 #2 0x7f5349cda65c in nsHtml5TreeBuilder::createElement(int, nsIAtom*, nsHtml5HtmlAttributes*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilderCppSupplement.h:80:0 #3 0x7f5349ce56c0 in nsHtml5TreeBuilder::appendToCurrentNodeAndPushFormattingElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilder.cpp:3909:0 #4 0x7f5349c90f01 in nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilder.cpp:1126:0 #5 0x7f5349c7f55d in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:315:0 #6 0x7f5349cc7f63 in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:838:0 . . . 0x604000270310 is located 0 bytes inside of 40-byte region [0x604000270310,0x604000270338) freed by thread T0 here: #0 0x446255 in __interceptor_free _asan_rtl_:0 #1 0x7f5349c58425 in ~nsHtml5Atom /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/mozilla/mozalloc.h:225:0 #2 0x7f5349c58425 in ~nsAutoPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/nsAutoPtr.h:78:0 #3 0x7f5349c58425 in ~nsAutoPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/nsAutoPtr.h:77:0 #4 0x7f5349c58425 in ~nsHtml5AtomEntry /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5AtomTable.cpp:24:0 #5 0x7f5349c58425 in nsTHashtable<nsHtml5AtomEntry>::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/parser/html/../../dist/include/nsTHashtable.h:449:0 . . .
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•