2020-09-23 11:57 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002789LibDOM[All Projects] Generalpublic2020-08-16 18:37
Reportersha0sum 
Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
StatusnewResolutionopen 
Summary0002789: Crashes found from fuzzing
DescriptionFuzzing netsurf-gtk using Domato[1] found a few segfaults in LibDOM 0.4.1 (HEAD at 93b8a9bba18fc3166dd158484188b1730afdd382).

Minimized test cases, along with corresponding AddressSanitizer stack traces, are attached.

[1] https://github.com/googleprojectzero/domato
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #
Attached Files
  • zip file icon crashes.zip (6,386 bytes) 2020-08-16 00:21
  • txt file icon 5.asan.txt (3,341 bytes) 2020-08-16 18:37 -
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==307418==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x5636fe24eff7 bp 0x61100048b740 sp 0x7ffc487d57d8 T0)
    ==307418==The signal is caused by a READ memory access.
    ==307418==Hint: address points to the zero page.
        #0 0x5636fe24eff6 in dom_html_table_section_element_get_rows src/html/html_tablesection_element.c:217
        #1 0x5636fe250e0f in dom_html_table_row_element_get_row_index src/html/html_tablerow_element.c:247
        #2 0x5636fdb909bf in dukky_html_table_row_element_rowIndex_getter /home/user/dev-netsurf/workspace/netsurf/html_table_row_element.c:160
        #3 0x5636fddebbba in duk__handle_call_raw content/handlers/javascript/duktape/duktape.c:64992
        #4 0x5636fddf681c in duk_hobject_getprop content/handlers/javascript/duktape/duktape.c:57584
        #5 0x5636fda83b02 in duk__js_execute_bytecode_inner content/handlers/javascript/duktape/duktape.c:78025
        #6 0x5636fdde481a in duk_js_execute_bytecode content/handlers/javascript/duktape/duktape.c:76732
        #7 0x5636fddec86c in duk__handle_call_raw content/handlers/javascript/duktape/duktape.c:64970
        #8 0x5636fdecfae5 in duk_handle_call_unprotected content/handlers/javascript/duktape/duktape.c:65146
        #9 0x5636fdecfae5 in duk__pcall_method_raw content/handlers/javascript/duktape/duktape.c:14391
        #10 0x5636fddffe2b in duk__handle_safe_call_inner content/handlers/javascript/duktape/duktape.c:65199
        #11 0x5636fddffe2b in duk_handle_safe_call content/handlers/javascript/duktape/duktape.c:65444
        #12 0x5636fde01fe9 in duk_pcall_method_flags content/handlers/javascript/duktape/duktape.c:14410
        #13 0x5636fddbc74b in js_fire_event content/handlers/javascript/duktape/dukky.c:1649
        #14 0x5636fdcdde70 in html_finish_conversion content/handlers/html/html.c:373
        #15 0x5636fdcdffc0 in html_begin_conversion content/handlers/html/html.c:970
        #16 0x5636fdca77b9 in html_convert_css_callback content/handlers/html/css.c:139
        #17 0x5636fdf267bb in hlcache_content_callback content/hlcache.c:204
        #18 0x5636fdbe55d1 in content_broadcast content/content.c:762
        #19 0x5636fdbe59a9 in content_set_done content/content.c:308
        #20 0x5636fdc31fd2 in nscss_content_done content/handlers/css/css.c:506
        #21 0x5636fdc34106 in nscss_convert_css_data content/handlers/css/css.c:321
        #22 0x5636fdc34106 in nscss_convert content/handlers/css/css.c:289
        #23 0x5636fdbe5ded in content_convert content/content.c:84
        #24 0x5636fdbe5ded in content_llcache_callback content/content.c:140
        #25 0x5636fdf33c79 in llcache_object_notify_users content/llcache.c:3430
        #26 0x5636fdf351af in llcache_catch_up_all_users content/llcache.c:3864
        #27 0x5636fe0e88bd in schedule_run frontends/gtk/schedule.c:148
        #28 0x5636fe0a9ef9 in nsgtk_main frontends/gtk/gui.c:506
        #29 0x5636fda7dab3 in main frontends/gtk/gui.c:1312
        #30 0x7f9e4dafa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #31 0x5636fdabecfd in _start (/home/user/dev-netsurf/workspace/netsurf/nsgtk3+0xadacfd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV src/html/html_tablesection_element.c:217 in dom_html_table_section_element_get_rows
    ==307418==ABORTING
    
    txt file icon 5.asan.txt (3,341 bytes) 2020-08-16 18:37 +

-Relationships
+Relationships

-Notes
sha0sum

~0002286

sha0sum (reporter)

Here is another crash input, caused by referencing rowIndex of an HTMLTableRowElement when there is no <thead> in the table:

<script>
window.onload = function () {
    row = document.getElementById("htmlvar00004");
    row.rowIndex;
}
</script>

<table>
<!-- Crashes when no <thead> element -->
<tr id="htmlvar00004"></tr>
</table>
+Notes

-Issue History
Date Modified Username Field Change
2020-08-16 00:21 sha0sum New Issue
2020-08-16 00:21 sha0sum File Added: crashes.zip
2020-08-16 18:37 sha0sum File Added: 5.asan.txt
2020-08-16 18:37 sha0sum Note Added: 0002286
+Issue History