Closed Bug 987052 Opened 10 years ago Closed 10 years ago

heap buffer overflow (write) at nsHtml5ArrayCopy::arraycopy

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 982285

People

(Reporter: aki.helin, Unassigned)

Details

Attachments

(1 file)

ff-bofr-html5.html
812 bytes, text/html
Details
Attached file ff-bofr-html5.html 
ASan spots the following issue when the attached page is opened. Note that the size is 0xfffffffffffffff8.

==5978==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150001ba5ff at pc 0x7f7386c99b35 bp 0x7f736ccf7f50 sp 0x7f736ccf7f48
WRITE of size 18446744073709551608 at 0x6150001ba5ff thread T15 (HTML5 Parser)
==5978==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x7f7386c99b34 in nsHtml5ArrayCopy::arraycopy(nsHtml5StackNode**, int, int, int) /home/aki/src/mozilla-aurora/parser/html/nsHtml5ArrayCopy.h:75
    #1 0x7f7386c992a0 in nsHtml5TreeBuilder::adoptionAgencyEndTag(nsIAtom*) /home/aki/src/mozilla-aurora/parser/html/nsHtml5TreeBuilder.cpp:3619
    #2 0x7f7386c920c4 in nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) /home/aki/src/mozilla-aurora/parser/html/nsHtml5TreeBuilder.cpp:1109
    #3 0x7f7386c6619f in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) /home/aki/src/mozilla-aurora/parser/html/nsHtml5Tokenizer.cpp:315
    #4 0x7f7386c803ea in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) /home/aki/src/mozilla-aurora/parser/html/nsHtml5Tokenizer.cpp:562
    #5 0x7f7386c66c23 in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) /home/aki/src/mozilla-aurora/parser/html/nsHtml5Tokenizer.cpp:413
[...]

The original file caused an use-after-free error to be reported, but this was probably caused by the overflow hitting a previously allocated object by chance.
I this a regression from Bug 901319?
This looks like a dupe of Bug 982285. The stack looks like Bug 982285 c1 and I am unable to reproduce on nightly. The line numbers also suggest that the build is outdated because it doesn't match with aurora tip.
Aki, can you reproduce this on a nightly build?
Flags: needinfo?(aki.helin)
This no longer reproduces in aurora tip for me. 

Seems to have been fixed very recently, since this still happened in aurora from a few days ago.
Flags: needinfo?(aki.helin)
Both the stack and the time frame of the bug going away point to this being a duplicate of bug 982285.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: