Closed Bug 1459648 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:892:19 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1457288

People

(Reporter: rs, Unassigned)

Details

Attachments

(1 file)

overflow.html.gz
(deleted), application/gzip
Details
Attached file overflow.html.gz (deleted) —
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3418.2 Safari/537.36 Steps to reproduce: <style> * { -webkit-animation-fill-mode: none; float: right; -webkit-transform: rotate(0deg); -webkit-border-top-right-radius: 1px 1px; box-shadow: 30px 0px 1px; flex-grow: 0; overflow-wrap: normal; stroke-opacity: 0; shape-margin: 27%; marker-mid: url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7); word-break: solid; user-zoom: zoom; -webkit-column-fill: auto; animation: anim 4s infinite alternate; column-rule: -1px solid; -webkit-backface-visibility: visible; --cssvarb: after; background-blend-mode: color-dodge, normal; -webkit-border-before: 1px solid; marker-mid: url(#svgvar00002) } .class8, #htmlvar00009, dfn:only-child, .class2 { -webkit-app-region: drag; weight: *; columns: 82; font-variant-ligatures: common-ligatures; translate: inherit; -webkit-rtl-ordering: visual; border-left-style: hidden; counter-increment: c; min-height: 1vmax; flood-color: rgb(114,197,221); font: normal 46 69%/0 sans-serif; column-span: all; -webkit-flow-from: flow1; -webkit-mask-box-image-repeat: stretch; align-self: left unsafe; -webkit-box-flex: 57; content: counter(c, lower-alpha); user-select: none; -webkit-border-top-right-radius: 1px -1px; -webkit-marquee-speed: 0 } </style> <dl id="htmlvar00009" compact="compact" style="box-pack: end; -webkit-border-before-color: white; opacity: 0; order: inherit; shape-outside: padding-box ellipse(22% 46% at center right)" style="-webkit-column-break-inside: avoid; border-right-color: ; -webkit-text-decorations-in-effect: underline; overflow-y: overlay; vertical-align: -1vh" compact="compact" tabindex="1" left="22" onsuspend="eventhandler3()" list="htmlvar00002" poster="6aJ&gt;Uol&quot;yZNQL5%:AQX" rowspan="1"> <dt id="htmlvar00011" style="-webkit-border-after-width: 0px; -webkit-box-flex: -1; -webkit-mask-repeat: space space; -webkit-padding-after: 0px; grid-row-start: last" class="class2" contenteditable="plaintext-only" style="font-face: Arial; scale: 0.7856741268533086 0 0; -webkit-border-bottom-left-radius: 1px 0px; -webkit-mask: below url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7); mso-font-kerning: 0pt" tabindex="1" abbr="UblM`WXMZ" select="#htmlvar00003" inner="1" archive=".6H|6nzQGMv~" itemtype=".zX++`(zX`=&lt;sZ">/`&amp;{vi\lb8E7E`XU4s</dt> Actual results: ==20623==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f90d8d02422 at pc 0x7f90fbb914d5 bp 0x7ffd93d9cad0 sp 0x7ffd93d9cac8 WRITE of size 2 at 0x7f90d8d02422 thread T0 (file:// Content) #0 0x7f90fbb914d4 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:892:19 #1 0x7f90fbb9c911 in MakeUnique<nsFloatManager::EllipseShapeInfo, nsPoint &, nsSize &, int &, int &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680:27 #2 0x7f90fbb9c911 in nsFloatManager::ShapeInfo::CreateCircleOrEllipse(mozilla::UniquePtr<mozilla::StyleBasicShape, mozilla::DefaultDelete<mozilla::StyleBasicShape> > const&, int, nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2330 #3 0x7f90fbb9835e in CreateBasicShape /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2197:14 #4 0x7f90fbb9835e in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2005 #5 0x7f90fbb2f74f in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:260:13 #6 0x7f90fba8eacb in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:994:19 #7 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #8 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22 #9 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966 #10 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15 #11 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5 #12 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9 #13 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5 #14 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #15 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #16 0x7f90fbb195f7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #17 0x7f90fbb2d79a in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6333:9 #18 0x7f90fba8dcfd in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13 #19 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #20 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22 #21 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966 #22 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15 #23 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5 #24 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9 #25 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5 #26 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #27 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #28 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #29 0x7f90fbb57092 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5 #30 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #31 0x7f90fbc3fb28 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:555:3 #32 0x7f90fbc40f49 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:678:3 #33 0x7f90fbc44f28 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1055:3 #34 0x7f90fbadc6de in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14 #35 0x7f90fbadb25e in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7 #36 0x7f90fb8c08a0 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8960:11 #37 0x7f90fb8d64b0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9133:24 #38 0x7f90fb8d48b9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11 #39 0x7f90f6b671b8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:592:5 #40 0x7f90f6b671b8 in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7587 #41 0x7f90f6946541 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2295:10 #42 0x7f90f6946541 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/Element.cpp:680 #43 0x7f90f6949b4e in mozilla::dom::Element::GetClientAreaRect() /builds/worker/workspace/build/src/dom/base/Element.cpp:1049:28 #44 0x7f90f8864f2f in ClientHeight /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1310:50 #45 0x7f90f8864f2f in mozilla::dom::ElementBinding::get_clientHeight(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3385 #46 0x7f90f8fad951 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3136:13 #47 0x7f90ff86ce87 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #48 0x7f90ff86ce87 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #49 0x7f90ff86de82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #50 0x7f910039d04a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12 #51 0x7f90f5128131 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3082:12 #52 0x7f90f5128131 in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.cpp:2387 #53 0x7f9100456ee4 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:351:21 #54 0x7f9100456ee4 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361 #55 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16 #56 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347 #57 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361 #58 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16 #59 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347 #60 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361 #61 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16 #62 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347 #63 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361 #64 0x7f910045711e in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16 #65 0x7f910045711e in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:347 #66 0x7f910045711e in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:361 #67 0x7f90ff878872 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1639:16 #68 0x7f90ff878872 in GetProperty /builds/worker/workspace/build/src/js/src/vm/JSObject.h:800 #69 0x7f90ff878872 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4397 #70 0x7f90ff85a9f7 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:213:12 #71 0x7f90ff85a9f7 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803 #72 0x7f90ff83e087 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #73 0x7f90ff86cc05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #74 0x7f90ffa4b06c in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2380:14 #75 0x3825c82302f7 (<unknown module>) 0x7f90d8d02422 is located 0 bytes to the right of 3941375010-byte region [0x7f8fede38800,0x7f90d8d02422) allocated by thread T0 (file:// Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f90fbb90c72 in operator new[] /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:174:12 #2 0x7f90fbb90c72 in MakeUniqueFallible<unsigned short []> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtrExtensions.h:33 #3 0x7f90fbb90c72 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:827 #4 0x7f90fbb9c911 in MakeUnique<nsFloatManager::EllipseShapeInfo, nsPoint &, nsSize &, int &, int &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680:27 #5 0x7f90fbb9c911 in nsFloatManager::ShapeInfo::CreateCircleOrEllipse(mozilla::UniquePtr<mozilla::StyleBasicShape, mozilla::DefaultDelete<mozilla::StyleBasicShape> > const&, int, nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2330 #6 0x7f90fbb9835e in CreateBasicShape /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2197:14 #7 0x7f90fbb9835e in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2005 #8 0x7f90fbb2f74f in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:260:13 #9 0x7f90fba8eacb in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:994:19 #10 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #11 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22 #12 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966 #13 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15 #14 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5 #15 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9 #16 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5 #17 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #18 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #19 0x7f90fbb195f7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #20 0x7f90fbb2d79a in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6333:9 #21 0x7f90fba8dcfd in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:916:13 #22 0x7f90fba8be1f in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #23 0x7f90fbce85a1 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22 #24 0x7f90fbce85a1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966 #25 0x7f90fbb1d6cd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15 #26 0x7f90fbb1c077 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5 #27 0x7f90fbb12d99 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9 #28 0x7f90fbb0b2f0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5 #29 0x7f90fbb00b70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #30 0x7f90fbaf8384 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #31 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #32 0x7f90fbb57092 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5 #33 0x7f90fbb58846 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #34 0x7f90fbc3fb28 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:555:3 #35 0x7f90fbc40f49 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:678:3 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:892:19 in nsFloatManager::EllipseShapeInfo::EllipseShapeInfo(nsPoint const&, nsSize const&, int, int) Shadow bytes around the buggy address: 0x0ff29b198430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff29b198440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff29b198450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff29b198460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff29b198470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff29b198480: 00 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa 0x0ff29b198490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff29b1984a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff29b1984b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff29b1984c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff29b1984d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20623==ABORTING Expected results: Mozilla Firefox 61.0a1 build ID 20180430095344. It does not fail in today's build
Group: firefox-core-security → layout-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: Untriaged → Layout
Product: Firefox → Core
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: