Closed
Bug 1134525
Opened 11 years ago
Closed 11 years ago
heap-buffer-overflow (read of size 4) at PostFilterExtentsForPrimitive
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1133160
People
(Reporter: aki.helin, Unassigned)
Details
(Keywords: reporter-external, sec-moderate)
Attachments
(1 file)
|
200 bytes,
text/html
|
Details |
ASan spots a heap buffer overflow when the attached page is viewed. Filing as a typical possible security issue based on bug type.
$ ~/opt/firefox-asan-tinderbox/firefox ff-bofr-postfilter.html 2>&1 | grep -A 8 ERROR | symbolize | c++filt
==23731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000be8c4 at pc 0x7f26a30f1e31 bp 0x7fff09141f30 sp 0x7fff09141f28
READ of size 4 at 0x6020000be8c4 thread T0 (Web Content)
#0 0x7f26a30f1e30 in PostFilterExtentsForPrimitive /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/gfx/src/FilterSupport.cpp:1482
#1 0x7f26a30f2a6d in ComputePostFilterExtents /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/gfx/src/FilterSupport.cpp:1542
#2 0x7f26a7442066 in ComputePostFilterExtents /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsFilterInstance.cpp:513
#3 0x7f26a7441cf2 in GetPostFilterBounds /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsFilterInstance.cpp:147
#4 0x7f26a7479ad8 in ComputePostEffectsVisualOverflowRect /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGIntegrationUtils.cpp:282
#5 0x7f26a71746bd in ComputeEffectsRect /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5291
#6 0x7f26a71fabd7 in FinishAndStoreOverflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsIFrame.h:2360
|
||
Updated•11 years ago
|
Flags: sec-bounty+
|
|
||
Updated•11 years ago
|
Flags: sec-bounty+ → sec-bounty?
|
||
Comment 1•11 years ago
|
||
WFM, Linux64 ASAN Opt and Debug builds.
|
||
Comment 2•11 years ago
|
||
I'd say this is a duplicate of bug 1133160.
|
|
||
Comment 3•11 years ago
|
||
Yep, I can reproduce this with bug 1133160 backed out locally in my ASAN build.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
|
|
||
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
|
|
||
Updated•9 years ago
|
Keywords: sec-moderate
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•