Crash observed while fuzzing mozilla-inbound rev 3df85eb27d47. I can't reproduce it from the fuzz input. ==21611==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160006f9080 at pc 0x7fb90259cc35 bp 0x7ffe6c2ee970 sp 0x7ffe6c2ee968 READ of size 8 at 0x6160006f9080 thread T0 #0 0x7fb90259cc34 in _cairo_scaled_font_keys_equal /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:639:53 #1 0x7fb902532a9e in _cairo_hash_table_lookup /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-hash.c:337:10 #2 0x7fb902587933 in INT__moz_cairo_scaled_font_create /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:985:24 #3 0x7fb8fcfbcde3 in gfxFontconfigFontEntry::CreateScaledFont(_FcPattern*, double, gfxFontStyle const*, bool) /home/worker/workspace/build/src/gfx/thebes/gfxFcPlatformFontList.cpp:714:18 #4 0x7fb8fcfbd548 in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*, bool) /home/worker/workspace/build/src/gfx/thebes/gfxFcPlatformFontList.cpp:824:9 #5 0x7fb8fd0a1136 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, bool, gfxCharacterMap*) /home/worker/workspace/build/src/gfx/thebes/gfxFontEntry.cpp:284:28 #6 0x7fb8fd105a39 in gfxFontGroup::GetFontAt(int, unsigned int) /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:1850:20 #7 0x7fb8fd107ece in gfxFontGroup::GetFirstValidFont(unsigned int) /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:2027:16 #8 0x7fb8fcad1e67 in nsFontMetrics::GetMetrics(gfxFont::Orientation) const /home/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:167:24 #9 0x7fb8fcad27ae in GetMetrics /home/worker/workspace/build/src/gfx/src/nsFontMetrics.h:243:14 #10 0x7fb8fcad27ae in nsFontMetrics::ExternalLeading() /home/worker/workspace/build/src/gfx/src/nsFontMetrics.cpp:238 #11 0x7fb901613ce4 in GetNormalLineHeight /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2769:43 #12 0x7fb901613ce4 in ComputeLineHeight /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2825 #13 0x7fb901613ce4 in mozilla::ReflowInput::CalcLineHeight(nsIContent*, nsStyleContext*, int, float) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2848 #14 0x7fb9015ed70e in CalcLineHeight /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2835:10 #15 0x7fb9015ed70e in mozilla::BlockReflowInput::BlockReflowInput(mozilla::ReflowInput const&, nsPresContext*, nsBlockFrame*, bool, bool, bool, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:142 #16 0x7fb9016476ae in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1185:20 #17 0x7fb90166740d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #18 0x7fb90165d386 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:11 #19 0x7fb9016513a3 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5 #20 0x7fb9016513a3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370 #21 0x7fb901647b3f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3 #22 0x7fb90166740d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #23 0x7fb90165d386 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:11 #24 0x7fb9016513a3 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5 #25 0x7fb9016513a3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370 #26 0x7fb901647b3f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3 #27 0x7fb90166740d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #28 0x7fb90165d386 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:11 #29 0x7fb9016513a3 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5 #30 0x7fb9016513a3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370 #31 0x7fb901647b3f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3 #32 0x7fb9016a927a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:895:14 #33 0x7fb9016a7bee in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:717:5 #34 0x7fb9016a927a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:895:14 #35 0x7fb9017492cd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3 #36 0x7fb90174a9d4 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3 #37 0x7fb90174da66 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3 #38 0x7fb9016b8883 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:939:14 #39 0x7fb90162df0b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:328:7 #40 0x7fb9014362c8 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9272:11 #41 0x7fb901449c42 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9445:24 #42 0x7fb901448b86 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4221:11 #43 0x7fb9013bc3e0 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/nsIPresShell.h:608:5 #44 0x7fb9013bc3e0 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1905 #45 0x7fb9013cad83 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7 #46 0x7fb9013caa42 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5 #47 0x7fb9013ccffb in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5 #48 0x7fb9013ccffb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624 #49 0x7fb9013cd23e in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12 #50 0x7fb9013cd23e in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861 #51 0x7fb9013cd23e in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890 #52 0x7fb8fad856b0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14 #53 0x7fb8fad820f8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10 #54 0x7fb8fbb27676 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5 #55 0x7fb8fba88820 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10 #56 0x7fb8fba88820 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231 #57 0x7fb8fba88820 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211 #58 0x7fb900d4267f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27 #59 0x7fb9041ba761 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30 #60 0x7fb90437704a in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4512:22 #61 0x7fb904378ad3 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4690:8 #62 0x7fb904379e5c in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4781:21 #63 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22 #64 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307 #65 0x7fb91603982f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291 #66 0x41cf18 in _start (/home/ubuntu/firefox/firefox+0x41cf18) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/cairo/cairo/src/cairo-scaled-font.c:639:53 in _cairo_scaled_font_keys_equal Shadow bytes around the buggy address: 0x0c2c800d71c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d71d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d71e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d71f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d7200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2c800d7210:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d7220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d7230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d7240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d7250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c800d7260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21611==ABORTING

I'm going to mark this sec-high, but I don't know how exploitable this will be in practice.

Lee, you've been looking at fonts much lately..

Not enough to go on here without a reproducible testcase or STR. It looks like maybe some memory was getting used after it was freed or possibly corrupted somehow, but I can't really tell much more from this trace.

(In reply to Jesse Schwartzentruber (:truber) from comment #0) > Crash observed while fuzzing mozilla-inbound rev 3df85eb27d47. I can't > reproduce it from the fuzz input. (In reply to Lee Salzman [:lsalzman] from comment #3) > Not enough to go on here without a reproducible testcase or STR. It looks > like maybe some memory was getting used after it was freed or possibly > corrupted somehow, but I can't really tell much more from this trace. Taking these two statements, it seems we are stuck :) Jesse, can you provide your input never the less (or some input before you ran this specific test case?) If not, I suggest we close this as invalid.

Attached the crashing test case (test_page_1746.html) and 4 preceding inputs.

Alexis, did you have a chance to look at Jesse's input?

Yes, but I couldn't reproduce the crash with them, and am otherwise stumped as to how to proceed.

Calling this incomplete for now since nobody can reproduce it at this point (I couldn't either). We can always reopen it if/when it becomes more reproducible again.