Closed Bug 983429 Opened 6 years ago Closed 6 years ago

heap-use-after-free in nsHtml5TreeOperation::CreateElement

Categories

(Core :: DOM: Core & HTML, defect)

30 Branch
x86_64
Linux
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 981279

People

(Reporter: tsmith, Unassigned)

Details

(Whiteboard: [dupe of 981279?])

Attachments

(1 file)

Attached file stack_trace.txt
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF.

At this time we do not have a test case that will reproduce the issue.

==9719==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040003deed0 at pc 0x7f8b3d21593b bp 0x7fff94295390 sp 0x7fff94295388
READ of size 8 at 0x6040003deed0 thread T0
    #0 0x7f8b3d21593a (libxul.so!nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*)+0x1b0a)
	Line 110 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOperation.h"
    #1 0x7f8b3d1ffbcc (libxul.so!nsHtml5TreeBuilder::createElement(int, nsIAtom*, nsHtml5HtmlAttributes*)+0x72c)
	Line 80 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeBuilderCppSupplement.h"
    #2 0x7f8b3d207f32 (libxul.so!nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*)+0x42)
	Line 3939 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp"
    #3 0x7f8b3d1b33af (libxul.so!nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool)+0x7a7f)
	Line 1044 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp"
    #4 0x7f8b3d1a4acd (libxul.so!nsHtml5Tokenizer::emitCurrentTagToken(bool, int)+0x30d)
	Line 315 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5Tokenizer.cpp"
...
This is possibly a dup of Bug 981279.
Whiteboard: [dupe of 981279?]
(In reply to Olli Pettay [:smaug] from comment #1)
> This is possibly a dup of Bug 981279.

Without a test case, this looks like a duplicate. The stack is the same.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 981279
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.