Closed Bug 1117304 (CVE-2015-0827) Opened 10 years ago Closed 10 years ago

Heap-buffer-overflow write in mozilla::gfx::CopyRect

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox34 --- wontfix
firefox35 --- wontfix
firefox36 + verified
firefox37 + verified
firefox38 + verified
firefox-esr31 36+ verified
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: inferno, Assigned: mstange)

References

Details

(4 keywords, Whiteboard: [adv-main36+][adv-esr31.5+])

Attachments

(4 files, 1 obsolete file)

Testcase
796 bytes, image/svg+xml
Details
part 2: make the tile filter deal with different input formats
1.59 KB, patch
bas.schouten
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
part 3: reftests
7.61 KB, patch
abillings
: sec-approval+
Details | Diff | Splinter Review
part 1: do all the checks in release builds
1.69 KB, patch
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-esr31+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached image Testcase —
================================================================= ==16794==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f398b43d56f at pc 0x7f39a2568a2d bp 0x7fff0e98b4a0 sp 0x7fff0e98b498 WRITE of size 16 at 0x7f398b43d56f thread T0 (Web Content) #0 0x7f39a2568a2c in mozilla::gfx::CopyRect(mozilla::gfx::DataSourceSurface*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>) objdir-ff-asan/dist/include/mozilla/PodOperations.h:87:3 #1 0x7f39a25b3559 in mozilla::gfx::FilterNodeTileSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1552:7 #2 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #3 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #4 0x7f39a25c985d in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3004:10 #5 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #6 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #7 0x7f39a25ca1d9 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3061:5 #8 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #9 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #10 0x7f39a25b4e8f in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1680:5 #11 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #12 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #13 0x7f39a25c9fd9 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3032:5 #14 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #15 0x7f39a256dbba in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:557:14 #16 0x7f39a2630f76 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/src/FilterSupport.cpp:1249:3 #17 0x7f39a65b77e5 in nsFilterInstance::Render(gfxContext*) layout/svg/nsFilterInstance.cpp:486:3 #18 0x7f39a65b6c66 in nsFilterInstance::PaintFilteredFrame(nsIFrame*, gfxContext&, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) layout/svg/nsFilterInstance.cpp:74:10 #19 0x7f39a65eee5d in nsSVGIntegrationUtils::PaintFramesWithEffects(gfxContext&, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:543:5 #20 0x7f39a5fca1ee in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:2665:5 #21 0x7f39a5fccee1 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:4630:5 #22 0x7f39a27a7600 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicPaintedLayer.cpp:94:7 #23 0x7f39a27a2b09 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:724:7 #24 0x7f39a279fe87 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicLayerManager.cpp:838:5 #25 0x7f39a27a2925 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:737:7 #26 0x7f39a279fe87 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicLayerManager.cpp:838:5 #27 0x7f39a279b3ca in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:528:5 #28 0x7f39a5fca23a in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:2670:5 #29 0x7f39a5fccee1 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:4630:5 #30 0x7f39a27b7204 in mozilla::layers::ClientPaintedLayer::PaintThebes() gfx/layers/client/ClientPaintedLayer.cpp:76:5 #31 0x7f39a27b7c98 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) gfx/layers/client/ClientPaintedLayer.cpp:131:3 #32 0x7f39a27d3227 in mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h:69:7 #33 0x7f39a27b270b in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:268:3 #34 0x7f39a27b2d9b in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp:303:3 #35 0x7f39a60e92e1 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1642:3 #36 0x7f39a616bf0e in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:3177:5 #37 0x7f39a61ef845 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6345:5 #38 0x7f39a5957292 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:443:7 #39 0x7f39a5956ade in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:384:9 #40 0x7f39a5f814d7 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1386:5 #41 0x7f39a5f874d6 in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:177:5 #42 0x7f39a0efe325 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:631:7 #43 0x7f39a0efefc0 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:724:3 #44 0x7f39a0ef4f36 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:855:7 #45 0x7f39a0f4be16 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10 #46 0x7f39a1775aaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21 #47 0x7f39a1726de1 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3 #48 0x7f39a59890ff in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:164:3 #49 0x7f39a74454d2 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:734:12 #50 0x7f39a1726de1 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3 #51 0x7f39a744490b in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:571:7 #52 0x4bbc7e in content_process_main(int, char**) ipc/contentproc/plugin-container.cpp:211:19 #53 0x7f399e55eec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 0x7f398b43d56f is located 0 bytes to the right of 589167-byte region [0x7f398b3ad800,0x7f398b43d56f) allocated by thread T0 (Web Content) here: #0 0x499a39 in __interceptor_malloc _asan_rtl_ #1 0x7f39a261cb16 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) gfx/2d/Tools.h:160:41 #2 0x7f39a256924a in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) gfx/2d/Factory.cpp:807:7 #3 0x7f39a25b3435 in mozilla::gfx::FilterNodeTileSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1545:18 #4 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #5 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #6 0x7f39a25c985d in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3004:10 #7 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #8 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #9 0x7f39a25ca1d9 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3061:5 #10 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #11 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #12 0x7f39a25b4e8f in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1680:5 #13 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #14 0x7f39a25a8710 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:698:17 #15 0x7f39a25c9fd9 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:3032:5 #16 0x7f39a25a2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:604:21 #17 0x7f39a256dbba in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:557:14 #18 0x7f39a2630f76 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/src/FilterSupport.cpp:1249:3 #19 0x7f39a65b77e5 in nsFilterInstance::Render(gfxContext*) layout/svg/nsFilterInstance.cpp:486:3 #20 0x7f39a65b6c66 in nsFilterInstance::PaintFilteredFrame(nsIFrame*, gfxContext&, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) layout/svg/nsFilterInstance.cpp:74:10 #21 0x7f39a65eee5d in nsSVGIntegrationUtils::PaintFramesWithEffects(gfxContext&, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:543:5 #22 0x7f39a5fca1ee in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:2665:5 #23 0x7f39a5fccee1 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:4630:5 #24 0x7f39a27a7600 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicPaintedLayer.cpp:94:7 #25 0x7f39a27a2b09 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:724:7 #26 0x7f39a279fe87 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicLayerManager.cpp:838:5 #27 0x7f39a27a2925 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:737:7 #28 0x7f39a279fe87 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicLayerManager.cpp:838:5 #29 0x7f39a279b3ca in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:528:5 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0fe7b167fa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7b167fa60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7b167fa70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7b167fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7b167fa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe7b167faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa fa 0x0fe7b167fab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7b167fac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7b167fad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7b167fae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7b167faf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac ASan internal: fe ==16794==ABORTING
Looks like the relevant code is from bug 924102.
Flags: needinfo?(mstange)
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Flags: needinfo?(mstange)
This seems less bad than I initially thought. The bug allows an attacker to zero out memory beyond the end of an array, overshooting the array bounds by a few thousand bytes. It might also allow reading uninitialized memory, but only a few thousand bytes at a time. But as far as I can tell it doesn't allow *writes* of attacker-controlled data beyond array bounds.
Component: GFX: Color Management → Graphics
Hardware: x86_64 → All
Attached patch part 1: do format check in release builds (obsolete) — — Splinter Review
This would have prevented the exploitable bug and made us crash instead.
Attachment #8544075 - Flags: review?(bas)
Attached patch part 3: reftests — — Splinter Review
The format mismatch happens if the input filter has an A8 result surface in the regions where it has output. The mismatched B8G8R8A8 input enters into the loop when the tile filter requests a rect that is completely outside the input filter's output region - in that case, FilterNodeSoftware::GetOutput calls GetDataSurfaceInRect with a null surface, which causes GetDataSurfaceInRect to create an empty surface of the requested size with format B8G8R8A8.
Comment on attachment 8544075 [details] [diff] [review] part 1: do format check in release builds Review of attachment 8544075 [details] [diff] [review]: ----------------------------------------------------------------- Would it make sense to make all of them release asserts while we're at it? All of these could cause overflows.
Attachment #8544075 - Flags: review?(bas) → review+
Attachment #8544076 - Flags: review?(bas) → review+
Good idea.
Attachment #8544075 - Attachment is obsolete: true
Comment on attachment 8544527 [details] [diff] [review] part 1: do all the checks in release builds [Security approval request comment] How easily could an exploit be constructed based on the patch? Not that hard, but the exploit wouldn't be able to do all that much, see comment 2. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? They show how to trigger the out-of-bounds write, but not what you can do with it. I have split the tests out into a separate patch. Should I hold off on landing them? Which older supported branches are affected by this flaw? All branches that use 28 or later. If not all supported branches, which bug introduced the flaw? Bug 924103 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? They'll be very similar, easy to create, and not risky. How likely is this patch to cause regressions; how much testing does it need? Unlikely to cause regressions, doesn't need much testing other than the reftests in the other patch.
Attachment #8544527 - Flags: sec-approval?
Attachment #8544078 - Flags: sec-approval?
Attachment #8544076 - Flags: sec-approval?
Comment on attachment 8544076 [details] [diff] [review] part 2: make the tile filter deal with different input formats sec-approval+ for checkin on Jan 26. We're about to release 35 so it can't go in until two weeks into the next cycle.
Attachment #8544076 - Flags: sec-approval? → sec-approval+
Attachment #8544078 - Flags: sec-approval? → sec-approval+
Comment on attachment 8544078 [details] [diff] [review] part 3: reftests Tests shouldn't go in until 36 is release though. Otherwise, we expose the issue before it is fixed.
Attachment #8544527 - Flags: sec-approval? → sec-approval+
We'll want ESR31, Aurora, and Beta patches after it goes into trunk. (Sorry for the overlapping comments.)
tracking-firefox36: --- → +
tracking-firefox37: --- → +
tracking-firefox-esr31: --- → 36+
https://hg.mozilla.org/integration/mozilla-inbound/rev/1e2e5169edf8 https://hg.mozilla.org/integration/mozilla-inbound/rev/144dea01fcbf Please request Aurora/Beta/esr31 approval on this when you get a chance.
status-b2g-v1.4: --- → affected
status-b2g-v2.0: --- → affected
status-b2g-v2.1: --- → affected
status-b2g-v2.2: --- → affected
status-b2g-master: --- → affected
Flags: needinfo?(mstange)
Flags: in-testsuite?
Whiteboard: [checkin on 1/26]
https://hg.mozilla.org/mozilla-central/rev/1e2e5169edf8 https://hg.mozilla.org/mozilla-central/rev/144dea01fcbf
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-b2g-master: affectedfixed
status-firefox38: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Comment on attachment 8544527 [details] [diff] [review] part 1: do all the checks in release builds I'm requesting approval for Aurora/Beta/esr31 for attachment 8544527 [details] [diff] [review] and attachment 8544076 [details] [diff] [review] . Approval Request Comment [Feature/regressing bug #]: bug 924102 [User impact if declined]: security bug [Describe test coverage new/current, TreeHerder]: current coverage is ok but could be better, I have tests for this bug in attachment 8544078 [details] [diff] [review] but they shouldn't land until the fix is released. [Risks and why]: very low risk, the patches only change the code paths that would have led to a crash or a security leak before [String/UUID change made/needed]: none
Flags: needinfo?(mstange)
Attachment #8544527 - Flags: approval-mozilla-esr31?
Attachment #8544527 - Flags: approval-mozilla-beta?
Attachment #8544527 - Flags: approval-mozilla-aurora?
Attachment #8544527 - Flags: approval-mozilla-esr31?
Attachment #8544527 - Flags: approval-mozilla-esr31+
Attachment #8544527 - Flags: approval-mozilla-beta?
Attachment #8544527 - Flags: approval-mozilla-beta+
Attachment #8544527 - Flags: approval-mozilla-aurora?
Attachment #8544527 - Flags: approval-mozilla-aurora+
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #17) Bustage follow-up: https://hg.mozilla.org/releases/mozilla-esr31/rev/bbab000f0507
Whiteboard: [adv-main36+][adv-esr31.5+]
Alias: CVE-2015-0827
Reproduced the original issue several times using the following build: * http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1420110134/ * Opened "test.svg" and scrolled the page [Crashed] Went through verification using the following builds: fx38: http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1424187631/ fx37: http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1424185888/ fx36: http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1424184332/ fx31.5.0esr: http://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.5.0esr-candidates/build2/linux-x86_64/en-US/ Test Cases Used: - Opened "test.svg" several times in regular windows/tabs and scrolled through the page - Opened "test.svg" several times in private windows/tabs and scrolled through the page - Opened "test.svg" several times in e10s windows/tabs and scrolled through the page (only applies to m-c)
Status: RESOLVED → VERIFIED
status-firefox36: fixedverified
status-firefox37: fixedverified
status-firefox38: fixedverified
status-firefox-esr31: fixedverified
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security → core-security-release
Group: core-security-release
Did these reftests ever land? If so please change the "in-testsuite" flag to "+", otherwise please scan your fixed bugs for other fixed in-testsuite? security bugs that we can land tests for now.
Flags: needinfo?(mstange)
Keywords: regression
Blocks: 1882182

They didn't; I've filed bug 1882182 to land those tests.

Flags: needinfo?(mstange.moz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: