Closed Bug 1705228 Opened 4 years ago Closed 4 years ago

heap-buffer-overflow in [@ IsJustifiableCharacter]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1711576
Tracking Flags:
Tracking Status
firefox87 --- wontfix
firefox88 --- affected
firefox89 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
302 bytes, text/html
Details

First found while fuzzing m-c 20210414-44e7fa45c33e (--enable-address-sanitizer --enable-fuzzing)

I will attach a test case shortly.

==659==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000b11fc at pc 0x7fd7fcedbc26 bp 0x7ffee8354d80 sp 0x7ffee8354d78
READ of size 2 at 0x6020000b11fc thread T0 (Isolated Web Co)
    #0 0x7fd7fcedbc25 in nsTextFragment::CharAt(int) const /gecko/dom/base/nsTextFragment.h:215:27
    #1 0x7fd801f96c96 in IsJustifiableCharacter /gecko/layout/generic/nsTextFrame.cpp:3118:24
    #2 0x7fd801f96c96 in nsTextFrame::PropertyProvider::ComputeJustification(gfxTextRun::Range, nsTArray<mozilla::JustificationAssignment>*) /gecko/layout/generic/nsTextFrame.cpp:3369:12
    #3 0x7fd801fcda1e in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) /gecko/layout/generic/nsTextFrame.cpp:9664:47
    #4 0x7fd801f45165 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /gecko/layout/generic/nsLineLayout.cpp:878:40
    #5 0x7fd801d3a9f1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /gecko/layout/generic/nsBlockFrame.cpp:4532:15
    #6 0x7fd801d399f0 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /gecko/layout/generic/nsBlockFrame.cpp:4334:5
    #7 0x7fd801d32dce in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:4219:9
    #8 0x7fd801d2c6d9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3199:5
    #9 0x7fd801d244c0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2733:7
    #10 0x7fd801d1ed1f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
    #11 0x7fd801f4532f in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /gecko/layout/generic/nsLineLayout.cpp:875:13
    #12 0x7fd801d3a9f1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /gecko/layout/generic/nsBlockFrame.cpp:4532:15
    #13 0x7fd801d399f0 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /gecko/layout/generic/nsBlockFrame.cpp:4334:5
    #14 0x7fd801d32dce in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:4219:9
    #15 0x7fd801d2c6d9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3199:5
    #16 0x7fd801d244c0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2733:7
    #17 0x7fd801d1ed1f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
    #18 0x7fd80200067c in nsFileControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/forms/nsFileControlFrame.cpp:148:19
    #19 0x7fd801f4532f in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /gecko/layout/generic/nsLineLayout.cpp:875:13
    #20 0x7fd801d3a9f1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /gecko/layout/generic/nsBlockFrame.cpp:4532:15
    #21 0x7fd801d399f0 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /gecko/layout/generic/nsBlockFrame.cpp:4334:5
    #22 0x7fd801d32dce in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:4219:9
    #23 0x7fd801d2c6d9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3199:5
    #24 0x7fd801d244c0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2733:7
    #25 0x7fd801d1ed1f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
    #26 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #27 0x7fd80204af12 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableCellFrame.cpp:932:3
    #28 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #29 0x7fd80208dc1e in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /gecko/layout/tables/nsTableRowFrame.cpp:836:9
    #30 0x7fd80209055d in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableRowFrame.cpp:1038:3
    #31 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #32 0x7fd802095644 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /gecko/layout/tables/nsTableRowGroupFrame.cpp:407:7
    #33 0x7fd80209c9b4 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableRowGroupFrame.cpp:1387:3
    #34 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #35 0x7fd802067e0b in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, mozilla::OverflowAreas&) /gecko/layout/tables/nsTableFrame.cpp:3011:7
    #36 0x7fd8020643eb in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /gecko/layout/tables/nsTableFrame.cpp:2063:3
    #37 0x7fd802062d72 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableFrame.cpp:1849:5
    #38 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #39 0x7fd8020a7ee5 in nsTableWrapperFrame::ReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /gecko/layout/tables/nsTableWrapperFrame.cpp:848:21
    #40 0x7fd8020a90f0 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableWrapperFrame.cpp:980:3
    #41 0x7fd801d3768b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #42 0x7fd801d2f786 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3855:11
    #43 0x7fd801d2c8b8 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3196:5
    #44 0x7fd801d244c0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2733:7
    #45 0x7fd801d1ed1f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
    #46 0x7fd801d3768b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #47 0x7fd801d2f786 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3855:11
    #48 0x7fd801d2c8b8 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3196:5
    #49 0x7fd801d244c0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2733:7
    #50 0x7fd801d1ed1f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1375:3
    #51 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #52 0x7fd801d5d447 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:818:7
    #53 0x7fd801d7e876 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #54 0x7fd801f53a9e in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageContentFrame.cpp:69:5
    #55 0x7fd801d7e876 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #56 0x7fd801f55cc5 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /gecko/layout/generic/nsPageFrame.cpp:149:3
    #57 0x7fd801f562d4 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageFrame.cpp:176:13
    #58 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #59 0x7fd801cd31b8 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/PrintedSheetFrame.cpp:206:5
    #60 0x7fd801d7e876 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #61 0x7fd801f5ee80 in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageSequenceFrame.cpp:354:5
    #62 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #63 0x7fd801d5d447 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:818:7
    #64 0x7fd801d7e12f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #65 0x7fd801df13ee in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #66 0x7fd801df2d4c in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #67 0x7fd801df8d68 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #68 0x7fd801d7e876 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #69 0x7fd801d11bc0 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:372:7
    #70 0x7fd801b56c19 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9597:11
    #71 0x7fd801b67d47 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9768:24
    #72 0x7fd801b66479 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4245:11
    #73 0x7fd8023fcb60 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /gecko/layout/printing/nsPrintJob.cpp:1867:14
    #74 0x7fd8023fb55e in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /gecko/layout/printing/nsPrintJob.cpp:1448:3
    #75 0x7fd8023f40e1 in nsPrintJob::InitPrintDocConstruction(bool) /gecko/layout/printing/nsPrintJob.cpp:1488:5
    #76 0x7fd802402768 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /gecko/layout/printing/nsPrintJob.cpp:2688:17
    #77 0x7fd8050c87b9 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /gecko/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
    #78 0x7fd7fb66e164 in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:234:28
    #79 0x7fd7fb246077 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8414:32
    #80 0x7fd7fafcde5a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2154:25
    #81 0x7fd7fafca37e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2078:9
    #82 0x7fd7fafcbd38 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1926:3
    #83 0x7fd7fafcc89b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1957:13
    #84 0x7fd7f9da4336 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:470:16
    #85 0x7fd7f9d6a4f3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:754:26
    #86 0x7fd7f9d68037 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:609:15
    #87 0x7fd7f9d6848d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:393:36
    #88 0x7fd7f9dad974 in operator() /gecko/xpcom/threads/TaskController.cpp:136:37
    #89 0x7fd7f9dad974 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #90 0x7fd7f9d86763 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #91 0x7fd7f9d9168c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #92 0x7fd7fafd5784 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #93 0x7fd7faedfaf1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #94 0x7fd7faedfaf1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #95 0x7fd7faedfaf1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #96 0x7fd8016267a7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #97 0x7fd805135a0f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #98 0x7fd7faedfaf1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #99 0x7fd7faedfaf1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #100 0x7fd7faedfaf1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #101 0x7fd80513529f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #102 0x55cfb4260f1d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #103 0x55cfb4261341 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
    #104 0x7fd81a2a80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #105 0x55cfb41b48b9 in _start (/home/worker/builds/m-c-20210414033918-fuzzing-asan-opt/firefox+0x5a8b9)
Attached file testcase.html
Flags: in-testsuite?
Keywords: bugmon, testcase

A Pernosco session is available here: https://pernos.co/debug/lBA8RbSCRsJh-WYcrbVWsg/index.html

Doesn't look related to APZ.

Component: Panning and Zooming → Layout

(In reply to Botond Ballo [:botond] from comment #3)

Doesn't look related to APZ.

Oops that was my mistake, thanks.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210414160838-e105fb5fb5cf.
The bug appears to have been introduced in the following build range:

Start: a25601920fab8afe0b399e3750c53cf411e3c8ec (20200827201039)
End: ae59b435ba7e86aca38535e07e7b12609bb9a9b1 (20200827225009)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a25601920fab8afe0b399e3750c53cf411e3c8ec&tochange=ae59b435ba7e86aca38535e07e7b12609bb9a9b1

Whiteboard: [bugmon:bisected,confirmed]

This is not the true regression range. This test case uses window.printPreview() and it was made accessible to fuzzers in Bug 1493223.

Flags: needinfo?(emilio)

Looks like we just display text wrong (potentially leaking info about the memory) when this happens and manages to avoid crashing.

Component: Layout → Layout: Text and Fonts
Keywords: sec-moderate
See Also: → 1711576

Duping this to bug 1711576, since the crashes/testcases look similar, and jfkthame says his patch on that bug fixes this bug's crash as well.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(emilio)

Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: