tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

930381.html (7666B)

      1 <script>
      2 function fuzz(){
      3  var a=document.getElementById('a');
      4  var b=document.getElementById('b');
      5  var pa=a.parentNode;
      6  b.parentNode.replaceChild(a,b);
      7  pa.appendChild(b);
      8 }
      9 </script>
     10 <big>
     11 <menu>
     12 <address>
     13 <optgroup label="a"></optgroup>
     14 "
     15 <blockquote>
     16 a
     17 <ruby>a</ruby>
     18 </address>
     19 <s dir="rtl">
     20 <section>
     21 <fieldset id="a"><iframe></iframe></fieldset>
     22 </section>
     23 <body onmouseover="fuzz()">
     24 <video id="b">
     25 
     26 <!--
     27 ==21242==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700022a21c at pc 0x7f0fe52bd9bc bp 0x7fff20ff6650 sp 0x7fff20ff6648
     28 READ of size 4 at 0x61700022a21c thread T0
     29    #0 0x7f0fe52bd9bb (libxul.so!PresShell::DispatchSynthMouseMove(mozilla::WidgetGUIEvent*, bool)+0x1db)
     30        Line 75 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/base/RestyleManager.h"
     31    #1 0x7f0fe52cc0c4 (libxul.so!PresShell::ProcessSynthMouseMoveEvent(bool)+0xde4)
     32        Line 5256 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/base/nsPresShell.cpp"
     33    #2 0x7f0fe52f0547 (libxul.so!nsRefreshDriver::Tick(long, mozilla::TimeStamp)+0xbb7)
     34        Line 1074 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/base/nsRefreshDriver.cpp"
     35    #3 0x7f0fe52f64e0 (libxul.so!mozilla::RefreshDriverTimer::Tick()+0x1f0)
     36        Line 168 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/base/nsRefreshDriver.cpp"
     37    #4 0x7f0fe8de4c31 (libxul.so!nsTimerImpl::Fire()+0x6d1)
     38        Line 546 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsTimerImpl.cpp"
     39    #5 0x7f0fe8de52d6 (libxul.so!nsTimerEvent::Run()+0x66)
     40        Line 630 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsTimerImpl.cpp"
     41    #6 0x7f0fe8ddc019 (libxul.so!nsThread::ProcessNextEvent(bool, bool*)+0xaa9)
     42        Line 622 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp"
     43    #7 0x7f0fe8d08371 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1)
     44        Line 251 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp"
     45    #8 0x7f0fe7955091 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311)
     46        Line 85 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp"
     47    #9 0x7f0fe8ef7653 (libxul.so!MessageLoop::Run()+0x1c3)
     48        Line 220 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc"
     49    #10 0x7f0fe7733cac (libxul.so!nsBaseAppShell::Run()+0x5c)
     50        Line 161 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp"
     51    #11 0x7f0fe7135d9e (libxul.so!nsAppStartup::Run()+0xbe)
     52        Line 268 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp"
     53    #12 0x7f0fe46bf1c5 (libxul.so!XREMain::XRE_mainRun()+0x1e05)
     54        Line 3886 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
     55    #13 0x7f0fe46c00fa (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa)
     56        Line 3954 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
     57    #14 0x7f0fe46c102b (libxul.so!XRE_main+0x3ab)
     58        Line 4156 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
     59    #15 0x459d1d (firefox!main+0x94d)
     60        Line 275 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp"
     61    #16 0x7f0ff3d5876c (libc.so.6!__libc_start_main+0xec)
     62        Line 226 of "libc-start.c"
     63    #17 0x45929c (firefox!_start+0x28)
     64 0x61700022a21c is located 28 bytes inside of 760-byte region [0x61700022a200,0x61700022a4f8)
     65 freed by thread T0 here:
     66    #0 0x4461a5 (firefox!free+0x55)
     67        Line 64 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc"
     68    #1 0x7f0fe529f118 (libxul.so!mozilla::RestyleManager::Release()+0x138)
     69        Line 225 of "../../dist/include/mozilla/mozalloc.h"
     70 previously allocated by thread T0 here:
     71    #0 0x4462e5 (firefox!malloc+0x55)
     72        Line 74 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc"
     73    #1 0x7f0feddfe5c8 (libmozalloc.so!moz_xmalloc+0x8)
     74        Line 54 of "/builds/slave/m-in-l64-asan-0000000000000000/build/memory/mozalloc/mozalloc.cpp"
     75    #2 0x7f0fe5230421 (libxul.so!nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, nsIntRect const&, bool, bool, bool)+0x581)
     76        Line 824 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/base/nsDocumentViewer.cpp"
     77    #3 0x7f0fe522fe90 (libxul.so!nsDocumentViewer::Init(nsIWidget*, nsIntRect const&)+0x20)
     78        Line 642 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/base/nsDocumentViewer.cpp"
     79    #4 0x7f0fe929f537 (libxul.so!nsDocShell::Embed(nsIDocumentViewer*, char const*, nsISupports*)+0xe7)
     80        Line 6397 of "/builds/slave/m-in-l64-asan-0000000000000000/build/docshell/base/nsDocShell.cpp"
     81    #5 0x7f0fe92b14f4 (libxul.so!nsDocShell::CreateDocumentViewer(char const*, nsIRequest*, nsIStreamListener**)+0x1084)
     82        Line 8173 of "/builds/slave/m-in-l64-asan-0000000000000000/build/docshell/base/nsDocShell.cpp"
     83    #6 0x7f0fe9254ad4 (libxul.so!nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*)+0x304)
     84        Line 122 of "/builds/slave/m-in-l64-asan-0000000000000000/build/docshell/base/nsDSURIContentListener.cpp"
     85    #7 0x7f0fe92f698f (libxul.so!nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)+0x6ef)
     86        Line 680 of "/builds/slave/m-in-l64-asan-0000000000000000/build/uriloader/base/nsURILoader.cpp"
     87    #8 0x7f0fe92f433c (libxul.so!nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*)+0x67c)
     88        Line 382 of "/builds/slave/m-in-l64-asan-0000000000000000/build/uriloader/base/nsURILoader.cpp"
     89    #9 0x7f0fe92f3aaf (libxul.so!nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*)+0x32f)
     90        Line 258 of "/builds/slave/m-in-l64-asan-0000000000000000/build/uriloader/base/nsURILoader.cpp"
     91    #10 0x7f0fe4964bc2 (libxul.so!nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*)+0x1e2)
     92        Line 718 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsBaseChannel.cpp"
     93 Shadow bytes around the buggy address:
     94  0x0c2e8003d3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     95  0x0c2e8003d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     96  0x0c2e8003d410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     97  0x0c2e8003d420: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     98  0x0c2e8003d430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     99 =>0x0c2e8003d440: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
    100  0x0c2e8003d450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    101  0x0c2e8003d460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    102  0x0c2e8003d470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    103  0x0c2e8003d480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    104  0x0c2e8003d490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
    105 Shadow byte legend (one shadow byte represents 8 application bytes):
    106  Addressable:           00
    107  Partially addressable: 01 02 03 04 05 06 07
    108  Heap left redzone:     fa
    109  Heap right redzone:    fb
    110  Freed heap region:     fd
    111  Stack left redzone:    f1
    112  Stack mid redzone:     f2
    113  Stack right redzone:   f3
    114  Stack partial redzone: f4
    115  Stack after return:    f5
    116  Stack use after scope: f8
    117  Global redzone:        f9
    118  Global init order:     f6
    119  Poisoned by user:      f7
    120  ASan internal:         fe
    121 ==21242==ABORTING
    122 -->