1134525 - heap-buffer-overflow (read of size 4) at PostFilterExtentsForPrimitive

Status: RESOLVED DUPLICATE of bug 1133160

(Core :: Graphics, defect)

Description

[Aki Helin]

Attachment: ff-bofr-postfilter.html

ASan spots a heap buffer overflow when the attached page is viewed. Filing as a typical possible security issue based on bug type.

$ ~/opt/firefox-asan-tinderbox/firefox ff-bofr-postfilter.html 2>&1 | grep -A 8 ERROR | symbolize | c++filt
==23731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000be8c4 at pc 0x7f26a30f1e31 bp 0x7fff09141f30 sp 0x7fff09141f28
READ of size 4 at 0x6020000be8c4 thread T0 (Web Content)
    #0 0x7f26a30f1e30 in PostFilterExtentsForPrimitive /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/gfx/src/FilterSupport.cpp:1482
    #1 0x7f26a30f2a6d in ComputePostFilterExtents /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/gfx/src/FilterSupport.cpp:1542
    #2 0x7f26a7442066 in ComputePostFilterExtents /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsFilterInstance.cpp:513
    #3 0x7f26a7441cf2 in GetPostFilterBounds /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsFilterInstance.cpp:147
    #4 0x7f26a7479ad8 in ComputePostEffectsVisualOverflowRect /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGIntegrationUtils.cpp:282
    #5 0x7f26a71746bd in ComputeEffectsRect /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5291
    #6 0x7f26a71fabd7 in FinishAndStoreOverflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsIFrame.h:2360

Comment 1

[Mats Palmgren (inactive)]

WFM, Linux64 ASAN Opt and Debug builds.

Comment 2

[Milan Sreckovic [:milan] (needinfo for best results)]

I'd say this is a duplicate of bug 1133160.

Comment 3

[Mats Palmgren (inactive)]

Yep, I can reproduce this with bug 1133160 backed out locally in my ASAN build.