Saw this in experimental IPC fuzzing, targeting canvas translation:
==1936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fff83c78c8f at pc 0x7fffd3c45f06 bp 0x7fff5bbe9c00 sp 0x7fff5bbe9bf8
WRITE of size 16 at 0x7fff83c78c8f thread T57
#0 0x7fffd3c45f05 in skvx::Vec<4, unsigned int>::store(void*) const gfx/skia/skia/src/base/SkVx.h:153:9
#1 0x7fffd3c45f05 in void SK_OPTS_NS::memsetT<unsigned int>(unsigned int*, unsigned int, int) gfx/skia/skia/src/opts/SkMemset_opts.h:28:23
#2 0x7fffd3c45f05 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const::$_2::operator()(void*, unsigned long, int) const gfx/skia/skia/src/core/SkPixmap.cpp:807:17
#3 0x7fffd3c45f05 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const::$_2::__invoke(void*, unsigned long, int) gfx/skia/skia/src/core/SkPixmap.cpp:805:13
#4 0x7fffd3c455c4 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const gfx/skia/skia/src/core/SkPixmap.cpp:819:13
#5 0x7fffd3c44aff in SkPixmap::erase(unsigned int, SkIRect const&) const gfx/skia/skia/src/core/SkPixmap.cpp:759:18
#6 0x7fffd6ef9434 in SkPixmap::erase(unsigned int) const gfx/skia/skia/include/core/SkPixmap.h:712:52
#7 0x7fffd6ef9434 in mozilla::gfx::SharedContextWebgl::ReadInto(unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1200:10
#8 0x7fffd6ef98d3 in mozilla::gfx::SharedContextWebgl::ReadSnapshot(mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1238:30
#9 0x7fffd6ef9e2e in mozilla::gfx::DrawTargetWebgl::ReadSnapshot() dom/canvas/DrawTargetWebgl.cpp:1261:26
#10 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::EnsureData() dom/canvas/SourceSurfaceWebgl.cpp:44:18
#11 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::GetData() dom/canvas/SourceSurfaceWebgl.cpp:50:8
#12 0x7fffd1c98055 in mozilla::gfx::GetSkImageForSurface(mozilla::gfx::SourceSurface*, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, mozilla::gfx::BaseMatrix<float> const*) gfx/2d/DrawTargetSkia.
cpp:277:30
#13 0x7fffd1ca037b in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >&, float, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) gfx/2d/DrawTargetSkia.cpp:595:11
#14 0x7fffd1c9ca04 in mozilla::gfx::AutoPaintSetup::AutoPaintSetup(SkCanvas*, mozilla::gfx::DrawOptions const&, mozilla::gfx::Pattern const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) /srv/repos/firef
ox.fuzzing/gfx/2d/DrawTargetSkia.cpp:662:5
#15 0x7fffd1c9ca04 in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetSkia.cpp:1020:18
#16 0x7fffd6f1a325 in mozilla::gfx::SharedContextWebgl::DrawPathAccel(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::StrokeOptions const*, bool, mozilla::gfx::ShadowOptions const*, bool, mozilla::gfx::BaseMatrix<float> const*) /srv/repos/firefox.fuzzi
ng/dom/canvas/DrawTargetWebgl.cpp:4787:17
#17 0x7fffd6f28004 in mozilla::gfx::DrawTargetWebgl::DrawSurfaceWithShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::ShadowOptions const&, mozilla::gfx::CompositionOp) dom/canvas/DrawTargetWebgl.cpp:5021:25
#18 0x7fffd1bb340b in mozilla::gfx::RecordedDrawSurfaceWithShadow::PlayEvent(mozilla::gfx::Translator*) const gfx/2d/RecordedEventImpl.h:3472:7
#19 0x7fffd238195c in mozilla::layers::CanvasTranslator::TranslateRecording()::$_1::operator()(mozilla::gfx::RecordedEvent*) const gfx/layers/ipc/CanvasTranslator.cpp:913:33
#20 0x7fffd238195c in bool std::__invoke_impl<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>(std::__invoke_other, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
#21 0x7fffd238195c in std::enable_if<is_invocable_r_v<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>, bool>::type std::__invoke_r<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>(mozilla::layers::CanvasTrans
lator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:113:9
#22 0x7fffd238195c in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::layers::CanvasTranslator::TranslateRecording()::$_1>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../includ
e/c++/10/bits/std_function.h:291:9
#23 0x7fffd1bf8eec in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
#24 0x7fffd1bbab09 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::MemReader>(mozilla::gfx::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) gfx/2d/RecordedEventImpl.h:4819:5
#25 0x7fffd22f7214 in mozilla::layers::CanvasTranslator::TranslateRecording() gfx/layers/ipc/CanvasTranslator.cpp:893:20
Posting now so we have it on file, line numbers in some places can be off due to local fuzzblocker fixes.
Bug 1990970 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Saw this in experimental IPC fuzzing, targeting canvas translation:
```
==1936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fff83c78c8f at pc 0x7fffd3c45f06 bp 0x7fff5bbe9c00 sp 0x7fff5bbe9bf8
WRITE of size 16 at 0x7fff83c78c8f thread T57
#0 0x7fffd3c45f05 in skvx::Vec<4, unsigned int>::store(void*) const gfx/skia/skia/src/base/SkVx.h:153:9
#1 0x7fffd3c45f05 in void SK_OPTS_NS::memsetT<unsigned int>(unsigned int*, unsigned int, int) gfx/skia/skia/src/opts/SkMemset_opts.h:28:23
#2 0x7fffd3c45f05 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const::$_2::operator()(void*, unsigned long, int) const gfx/skia/skia/src/core/SkPixmap.cpp:807:17
#3 0x7fffd3c45f05 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const::$_2::__invoke(void*, unsigned long, int) gfx/skia/skia/src/core/SkPixmap.cpp:805:13
#4 0x7fffd3c455c4 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const gfx/skia/skia/src/core/SkPixmap.cpp:819:13
#5 0x7fffd3c44aff in SkPixmap::erase(unsigned int, SkIRect const&) const gfx/skia/skia/src/core/SkPixmap.cpp:759:18
#6 0x7fffd6ef9434 in SkPixmap::erase(unsigned int) const gfx/skia/skia/include/core/SkPixmap.h:712:52
#7 0x7fffd6ef9434 in mozilla::gfx::SharedContextWebgl::ReadInto(unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1200:10
#8 0x7fffd6ef98d3 in mozilla::gfx::SharedContextWebgl::ReadSnapshot(mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1238:30
#9 0x7fffd6ef9e2e in mozilla::gfx::DrawTargetWebgl::ReadSnapshot() dom/canvas/DrawTargetWebgl.cpp:1261:26
#10 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::EnsureData() dom/canvas/SourceSurfaceWebgl.cpp:44:18
#11 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::GetData() dom/canvas/SourceSurfaceWebgl.cpp:50:8
#12 0x7fffd1c98055 in mozilla::gfx::GetSkImageForSurface(mozilla::gfx::SourceSurface*, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, mozilla::gfx::BaseMatrix<float> const*) gfx/2d/DrawTargetSkia.
cpp:277:30
#13 0x7fffd1ca037b in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >&, float, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) gfx/2d/DrawTargetSkia.cpp:595:11
#14 0x7fffd1c9ca04 in mozilla::gfx::AutoPaintSetup::AutoPaintSetup(SkCanvas*, mozilla::gfx::DrawOptions const&, mozilla::gfx::Pattern const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) /srv/repos/firef
ox.fuzzing/gfx/2d/DrawTargetSkia.cpp:662:5
#15 0x7fffd1c9ca04 in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetSkia.cpp:1020:18
#16 0x7fffd6f1a325 in mozilla::gfx::SharedContextWebgl::DrawPathAccel(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::StrokeOptions const*, bool, mozilla::gfx::ShadowOptions const*, bool, mozilla::gfx::BaseMatrix<float> const*) /srv/repos/firefox.fuzzi
ng/dom/canvas/DrawTargetWebgl.cpp:4787:17
#17 0x7fffd6f28004 in mozilla::gfx::DrawTargetWebgl::DrawSurfaceWithShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::ShadowOptions const&, mozilla::gfx::CompositionOp) dom/canvas/DrawTargetWebgl.cpp:5021:25
#18 0x7fffd1bb340b in mozilla::gfx::RecordedDrawSurfaceWithShadow::PlayEvent(mozilla::gfx::Translator*) const gfx/2d/RecordedEventImpl.h:3472:7
#19 0x7fffd238195c in mozilla::layers::CanvasTranslator::TranslateRecording()::$_1::operator()(mozilla::gfx::RecordedEvent*) const gfx/layers/ipc/CanvasTranslator.cpp:913:33
#20 0x7fffd238195c in bool std::__invoke_impl<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>(std::__invoke_other, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
#21 0x7fffd238195c in std::enable_if<is_invocable_r_v<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>, bool>::type std::__invoke_r<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>(mozilla::layers::CanvasTrans
lator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:113:9
#22 0x7fffd238195c in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::layers::CanvasTranslator::TranslateRecording()::$_1>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../includ
e/c++/10/bits/std_function.h:291:9
#23 0x7fffd1bf8eec in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
#24 0x7fffd1bbab09 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::MemReader>(mozilla::gfx::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) gfx/2d/RecordedEventImpl.h:4819:5
#25 0x7fffd22f7214 in mozilla::layers::CanvasTranslator::TranslateRecording() gfx/layers/ipc/CanvasTranslator.cpp:893:20
```
Posting now so we have it on file, line numbers in some places can be off due to local fuzzblocker fixes.
Saw this in experimental IPC fuzzing, targeting canvas translation:
```
==1936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fff83c78c8f at pc 0x7fffd3c45f06 bp 0x7fff5bbe9c00 sp 0x7fff5bbe9bf8
WRITE of size 16 at 0x7fff83c78c8f thread T57
#0 0x7fffd3c45f05 in skvx::Vec<4, unsigned int>::store(void*) const gfx/skia/skia/src/base/SkVx.h:153:9
#1 0x7fffd3c45f05 in void SK_OPTS_NS::memsetT<unsigned int>(unsigned int*, unsigned int, int) gfx/skia/skia/src/opts/SkMemset_opts.h:28:23
#2 0x7fffd3c45f05 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const::$_2::operator()(void*, unsigned long, int) const gfx/skia/skia/src/core/SkPixmap.cpp:807:17
#3 0x7fffd3c45f05 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const::$_2::__invoke(void*, unsigned long, int) gfx/skia/skia/src/core/SkPixmap.cpp:805:13
#4 0x7fffd3c455c4 in SkPixmap::erase(SkRGBA4f<(SkAlphaType)3> const&, SkIRect const*) const gfx/skia/skia/src/core/SkPixmap.cpp:819:13
#5 0x7fffd3c44aff in SkPixmap::erase(unsigned int, SkIRect const&) const gfx/skia/skia/src/core/SkPixmap.cpp:759:18
#6 0x7fffd6ef9434 in SkPixmap::erase(unsigned int) const gfx/skia/skia/include/core/SkPixmap.h:712:52
#7 0x7fffd6ef9434 in mozilla::gfx::SharedContextWebgl::ReadInto(unsigned char*, int, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1200:10
#8 0x7fffd6ef98d3 in mozilla::gfx::SharedContextWebgl::ReadSnapshot(mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1238:30
#9 0x7fffd6ef9e2e in mozilla::gfx::DrawTargetWebgl::ReadSnapshot() dom/canvas/DrawTargetWebgl.cpp:1261:26
#10 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::EnsureData() dom/canvas/SourceSurfaceWebgl.cpp:44:18
#11 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::GetData() dom/canvas/SourceSurfaceWebgl.cpp:50:8
#12 0x7fffd1c98055 in mozilla::gfx::GetSkImageForSurface(mozilla::gfx::SourceSurface*, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, mozilla::gfx::BaseMatrix<float> const*) gfx/2d/DrawTargetSkia.
cpp:277:30
#13 0x7fffd1ca037b in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >&, float, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) gfx/2d/DrawTargetSkia.cpp:595:11
#14 0x7fffd1c9ca04 in mozilla::gfx::AutoPaintSetup::AutoPaintSetup(SkCanvas*, mozilla::gfx::DrawOptions const&, mozilla::gfx::Pattern const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) /srv/repos/firef
ox.fuzzing/gfx/2d/DrawTargetSkia.cpp:662:5
#15 0x7fffd1c9ca04 in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetSkia.cpp:1020:18
#16 0x7fffd6f1a325 in mozilla::gfx::SharedContextWebgl::DrawPathAccel(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::StrokeOptions const*, bool, mozilla::gfx::ShadowOptions const*, bool, mozilla::gfx::BaseMatrix<float> const*) /srv/repos/firefox.fuzzi
ng/dom/canvas/DrawTargetWebgl.cpp:4787:17
#17 0x7fffd6f28004 in mozilla::gfx::DrawTargetWebgl::DrawSurfaceWithShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::ShadowOptions const&, mozilla::gfx::CompositionOp) dom/canvas/DrawTargetWebgl.cpp:5021:25
#18 0x7fffd1bb340b in mozilla::gfx::RecordedDrawSurfaceWithShadow::PlayEvent(mozilla::gfx::Translator*) const gfx/2d/RecordedEventImpl.h:3472:7
#19 0x7fffd238195c in mozilla::layers::CanvasTranslator::TranslateRecording()::$_1::operator()(mozilla::gfx::RecordedEvent*) const gfx/layers/ipc/CanvasTranslator.cpp:913:33
#20 0x7fffd238195c in bool std::__invoke_impl<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>(std::__invoke_other, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu
/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
#21 0x7fffd238195c in std::enable_if<is_invocable_r_v<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>, bool>::type std::__invoke_r<bool, mozilla::layers::CanvasTranslator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*>(mozilla::layers::CanvasTrans
lator::TranslateRecording()::$_1&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:113:9
#22 0x7fffd238195c in std::_Function_handler<bool (mozilla::gfx::RecordedEvent*), mozilla::layers::CanvasTranslator::TranslateRecording()::$_1>::_M_invoke(std::_Any_data const&, mozilla::gfx::RecordedEvent*&&) sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../includ
e/c++/10/bits/std_function.h:291:9
#23 0x7fffd1bf8eec in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
#24 0x7fffd1bbab09 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::MemReader>(mozilla::gfx::MemReader&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) gfx/2d/RecordedEventImpl.h:4819:5
#25 0x7fffd22f7214 in mozilla::layers::CanvasTranslator::TranslateRecording() gfx/layers/ipc/CanvasTranslator.cpp:893:20
[...]
0x7fff83c78c8f is located 0 bytes after 607375-byte region [0x7fff83be4800,0x7fff83c78c8f)
allocated by thread T57 here:
#0 0x55555570863f in __interceptor_malloc _asan_rtl_:3
#1 0x7fffd1d5e185 in mozilla::gfx::AlignedArray<unsigned char, 16>::Realloc(unsigned long, bool) gfx/2d/Tools.h:131:40
#2 0x7fffd1d5e185 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) gfx/2d/SourceSurfaceRawData.cpp:90:12
#3 0x7fffd1c4a74a in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) gfx/2d/Factory.cpp:1080:16
#4 0x7fffd6ef97f5 in mozilla::gfx::SharedContextWebgl::ReadSnapshot(mozilla::gfx::TextureHandle*) dom/canvas/DrawTargetWebgl.cpp:1233:7
#5 0x7fffd6ef9e2e in mozilla::gfx::DrawTargetWebgl::ReadSnapshot() dom/canvas/DrawTargetWebgl.cpp:1261:26
#6 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::EnsureData() dom/canvas/SourceSurfaceWebgl.cpp:44:18
#7 0x7fffd6f56ae7 in mozilla::gfx::SourceSurfaceWebgl::GetData() dom/canvas/SourceSurfaceWebgl.cpp:50:8
#8 0x7fffd1c98055 in mozilla::gfx::GetSkImageForSurface(mozilla::gfx::SourceSurface*, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, mozilla::gfx::BaseMatrix<float> const*) gfx/2d/DrawTargetSkia.c
pp:277:30
#9 0x7fffd1ca037b in mozilla::gfx::SetPaintPattern(SkPaint&, mozilla::gfx::Pattern const&, mozilla::Maybe<mozilla::detail::BaseAutoLock<mozilla::Mutex&> >&, float, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) gfx/2d/DrawTargetSkia.cpp:595:11
#10 0x7fffd1c9ca04 in mozilla::gfx::AutoPaintSetup::AutoPaintSetup(SkCanvas*, mozilla::gfx::DrawOptions const&, mozilla::gfx::Pattern const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, SkMatrix const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) /srv/repos/firef
ox.fuzzing/gfx/2d/DrawTargetSkia.cpp:662:5
#11 0x7fffd1c9ca04 in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetSkia.cpp:1020:18
#12 0x7fffd6f1a325 in mozilla::gfx::SharedContextWebgl::DrawPathAccel(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::StrokeOptions const*, bool, mozilla::gfx::ShadowOptions const*, bool, mozilla::gfx::BaseMatrix<float> const*) /srv/repos/firefox.fuzzi
ng/dom/canvas/DrawTargetWebgl.cpp:4787:17
#13 0x7fffd6f28004 in mozilla::gfx::DrawTargetWebgl::DrawSurfaceWithShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::ShadowOptions const&, mozilla::gfx::CompositionOp) dom/canvas/DrawTargetWebgl.cpp:5021:25
#14 0x7fffd1bb340b in mozilla::gfx::RecordedDrawSurfaceWithShadow::PlayEvent(mozilla::gfx::Translator*) const gfx/2d/RecordedEventImpl.h:3472:7
#15 0x7fffd238195c in mozilla::layers::CanvasTranslator::TranslateRecording()::$_1::operator()(mozilla::gfx::RecordedEvent*) const gfx/layers/ipc/CanvasTranslator.cpp:913:33
[...]
Shadow bytes around the buggy address:
0x7fff83c78c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7fff83c78c80: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fff83c78d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
```
Posting now so we have it on file, line numbers in some places can be off due to local fuzzblocker fixes.