Closed
Bug 1134525
Opened 9 years ago
Closed 9 years ago
heap-buffer-overflow (read of size 4) at PostFilterExtentsForPrimitive
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1133160
People
(Reporter: aki.helin, Unassigned)
Details
(Keywords: sec-moderate)
Attachments
(1 file)
200 bytes,
text/html
|
Details |
ASan spots a heap buffer overflow when the attached page is viewed. Filing as a typical possible security issue based on bug type. $ ~/opt/firefox-asan-tinderbox/firefox ff-bofr-postfilter.html 2>&1 | grep -A 8 ERROR | symbolize | c++filt ==23731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000be8c4 at pc 0x7f26a30f1e31 bp 0x7fff09141f30 sp 0x7fff09141f28 READ of size 4 at 0x6020000be8c4 thread T0 (Web Content) #0 0x7f26a30f1e30 in PostFilterExtentsForPrimitive /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/gfx/src/FilterSupport.cpp:1482 #1 0x7f26a30f2a6d in ComputePostFilterExtents /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/gfx/src/FilterSupport.cpp:1542 #2 0x7f26a7442066 in ComputePostFilterExtents /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsFilterInstance.cpp:513 #3 0x7f26a7441cf2 in GetPostFilterBounds /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsFilterInstance.cpp:147 #4 0x7f26a7479ad8 in ComputePostEffectsVisualOverflowRect /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGIntegrationUtils.cpp:282 #5 0x7f26a71746bd in ComputeEffectsRect /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5291 #6 0x7f26a71fabd7 in FinishAndStoreOverflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsIFrame.h:2360
Updated•9 years ago
|
Flags: sec-bounty+
Updated•9 years ago
|
Flags: sec-bounty+ → sec-bounty?
Comment 1•9 years ago
|
||
WFM, Linux64 ASAN Opt and Debug builds.
I'd say this is a duplicate of bug 1133160.
Comment 3•9 years ago
|
||
Yep, I can reproduce this with bug 1133160 backed out locally in my ASAN build.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Keywords: sec-moderate
You need to log in
before you can comment on or make changes to this bug.
Description
•