Closed Bug 1419274 Opened 7 years ago Closed 7 years ago

UBSan: division by zero in [@ nsFontMetrics::GetMaxStringLength]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox59 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, testcase)

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Protect against divide-by-zero in nsFontMetrics::GetMaxStringLength when font size is zero
(deleted), patch
milan
: review+
Details | Diff | Splinter Review
Attached file testcase.html (deleted) —
This was found with a Firefox build built with -fsanitize=float-divide-by-zero,integer-divide-by-zero /gfx/src/nsFontMetrics.cpp:310:30: runtime error: division by zero #0 0x7f3fdef4ddce in nsFontMetrics::GetMaxStringLength() /gfx/src/nsFontMetrics.cpp:310:30 #1 0x7f3fe3e400ba in GetMaxChunkLength(nsFontMetrics&) /layout/base/nsLayoutUtils.cpp:6047:32 #2 0x7f3fe3e37e24 in nsLayoutUtils::AppUnitWidthOfString(char16_t const*, unsigned int, nsFontMetrics&, mozilla::gfx::DrawTarget*) /layout/base/nsLayoutUtils.cpp:6056:29 #3 0x7f3fe3e40404 in nsLayoutUtils::AppUnitWidthOfStringBidi(char16_t const*, unsigned int, nsIFrame const*, nsFontMetrics&, gfxContext&) /layout/base/nsLayoutUtils.cpp:6085:10 #4 0x7f3fe3f68384 in nsBulletFrame::GetDesiredSize(nsPresContext*, gfxContext*, mozilla::ReflowOutput&, float, mozilla::LogicalMargin*) /layout/generic/nsBulletFrame.cpp:1061:9 #5 0x7f3fe3f690f2 in nsBulletFrame::GetMinISize(gfxContext*) /layout/generic/nsBulletFrame.cpp:1119:3 #6 0x7f3fe3f80602 in nsFrame::ShrinkWidthToFit(gfxContext*, int, nsIFrame::ComputeSizeFlags) /layout/generic/nsFrame.cpp:6273:22 #7 0x7f3fe3fb95f2 in nsFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /layout/generic/nsFrame.cpp:6258:25 #8 0x7f3fe3f84748 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /layout/generic/nsFrame.cpp:5532:24 #9 0x7f3fe3ef03ee in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2538:17 #10 0x7f3fe3ee83b5 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /layout/generic/ReflowInput.cpp:426:3 #11 0x7f3fe3eeb0d3 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::LogicalSize const*, unsigned int) /layout/generic/ReflowInput.cpp:258:5 #12 0x7f3fe3f3df7f in nsBlockFrame::ReflowBullet(nsIFrame*, mozilla::BlockReflowInput&, mozilla::ReflowOutput&, int) /layout/generic/nsBlockFrame.cpp:7204:15 #13 0x7f3fe3f3ce00 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2691:5 #14 0x7f3fe3f36b99 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1236:3 #15 0x7f3fe3f4c097 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:306:11 #16 0x7f3fe3f4685b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3474:11 #17 0x7f3fe3f433d3 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:2824:5 #18 0x7f3fe3f3bd46 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2363:7 #19 0x7f3fe3f36b99 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1236:3 #20 0x7f3fe3f4c097 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:306:11 #21 0x7f3fe3f4685b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3474:11 #22 0x7f3fe3f433d3 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:2824:5 #23 0x7f3fe3f3bd46 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2363:7 #24 0x7f3fe3f36b99 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1236:3 #25 0x7f3fe3f4c097 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /layout/generic/nsBlockReflowContext.cpp:306:11 #26 0x7f3fe3f4685b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:3474:11 #27 0x7f3fe3f433d3 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /layout/generic/nsBlockFrame.cpp:2824:5 #28 0x7f3fe3f3bd46 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /layout/generic/nsBlockFrame.cpp:2363:7 #29 0x7f3fe3f36b99 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsBlockFrame.cpp:1236:3 #30 0x7f3fe3f7224e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:934:14 #31 0x7f3fe3f71654 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:757:5 #32 0x7f3fe3f7224e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:934:14 #33 0x7f3fe4039dbd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /layout/generic/nsGfxScrollFrame.cpp:552:3 #34 0x7f3fe403b630 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:664:3 #35 0x7f3fe403e3f7 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1041:3 #36 0x7f3fe3f28cc6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:978:14 #37 0x7f3fe3f2840d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:336:7 #38 0x7f3fe3d3e3bc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /layout/base/PresShell.cpp:9028:11 #39 0x7f3fe3d4d67a in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9201:24 #40 0x7f3fe3d4c9ba in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4274:11 #41 0x7f3fe3cd9a72 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:1901:16 #42 0x7f3fe3ce5003 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:306:7 #43 0x7f3fe3ce4d3a in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:327:5 #44 0x7f3fe3ce92ca in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:769:5 #45 0x7f3fe3ce7d20 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:682:35 #46 0x7f3fe3ce31dc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /layout/base/nsRefreshDriver.cpp:528:20 #47 0x7f3fdc75cdb9 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1037:14 #48 0x7f3fdc795ed1 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:513:10 #49 0x7f3fdd8c7e31 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:97:21 #50 0x7f3fdd749d50 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299:3 #51 0x7f3fe36d70a4 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:159:27 #52 0x7f3fe80268d9 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:288:30 #53 0x7f3fe81edafb in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:4685:22 #54 0x7f3fe81ef95c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4847:8 #55 0x7f3fe81f0651 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:4942:21 #56 0x518238 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:231:22 #57 0x517aba in main /browser/app/nsBrowserApp.cpp:304:16 #58 0x7f401169b1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308 #59 0x420589 in _start (firefox+0x420589)
Flags: in-testsuite?
The only user of GetMaxStringLength is GetMaxChunkLength in nsLayoutUtils, which then clamps the result to be <= 8000, so arbitrarily setting a minimum for the divisor here is harmless, and avoids the risk of getting into undefined-behavior territory.
Attachment #8930439 - Flags: review?(milan)
Attachment #8930439 - Flags: review?(milan) → review+
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/03222c0d5cb6 Protect against divide-by-zero in nsFontMetrics::GetMaxStringLength when font size is zero. r=milan
https://hg.mozilla.org/mozilla-central/rev/03222c0d5cb6
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Assignee: nobody → jfkthame
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: