983429 - heap-use-after-free in nsHtml5TreeOperation::CreateElement

Status: RESOLVED DUPLICATE of bug 981279

(Core :: DOM: Core & HTML, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: stack_trace.txt

Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF.

At this time we do not have a test case that will reproduce the issue.

==9719==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040003deed0 at pc 0x7f8b3d21593b bp 0x7fff94295390 sp 0x7fff94295388
READ of size 8 at 0x6040003deed0 thread T0
    #0 0x7f8b3d21593a (libxul.so!nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*)+0x1b0a)
	Line 110 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOperation.h"
    #1 0x7f8b3d1ffbcc (libxul.so!nsHtml5TreeBuilder::createElement(int, nsIAtom*, nsHtml5HtmlAttributes*)+0x72c)
	Line 80 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeBuilderCppSupplement.h"
    #2 0x7f8b3d207f32 (libxul.so!nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*)+0x42)
	Line 3939 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp"
    #3 0x7f8b3d1b33af (libxul.so!nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool)+0x7a7f)
	Line 1044 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp"
    #4 0x7f8b3d1a4acd (libxul.so!nsHtml5Tokenizer::emitCurrentTagToken(bool, int)+0x30d)
	Line 315 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5Tokenizer.cpp"
...

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

This is possibly a dup of Bug 981279.

Comment 2

[Henri Sivonen (:hsivonen)]

(In reply to Olli Pettay [:smaug] from comment #1)
> This is possibly a dup of Bug 981279.

Without a test case, this looks like a duplicate. The stack is the same.