Heap-buffer-overflow WRITE in ConvolveVertically_SSE2_impl

RESOLVED DUPLICATE of bug 1207378

Status

()

RESOLVED DUPLICATE of bug 1207378
3 years ago
2 years ago

People

(Reporter: inferno, Unassigned)

Tracking

({csectype-bounds, sec-critical})

Trunk
csectype-bounds, sec-critical
Points:
---

Firefox Tracking Flags

(firefox43+ fixed, firefox44+ fixed)

Details

(Whiteboard: [adv-main43-])

Attachments

(1 attachment)

2.74 KB, application/x-zip-compressed
Details
(Reporter)

Description

3 years ago
=================================================================
==19059==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000d3024 at pc 0x7f1cc7d4ffd4 bp 0x7f1cb049aa20 sp 0x7f1cb049aa18
WRITE of size 4 at 0x6040000d3024 thread T13 (ImgDecoder #1)
    #0 0x7f1cc7d4ffd3 in ConvolveVertically_SSE2_impl<true> gfx/2d/convolverSSE2.cpp:450:42
    #1 0x7f1cc7d4ffd3 in skia::ConvolveVertically_SSE2(short const*, int, unsigned char* const*, int, unsigned char*, bool) gfx/2d/convolverSSE2.cpp:463
    #2 0x7f1cc83ac66d in mozilla::image::Downscaler::DownscaleInputLine() image/Downscaler.cpp:257:3
    #3 0x7f1cc83ac1f7 in mozilla::image::Downscaler::CommitRow() image/Downscaler.cpp:185:5
    #4 0x7f1cc8401493 in mozilla::image::nsGIFDecoder2::OutputRow() image/decoders/nsGIFDecoder2.cpp:431:7
    #5 0x7f1cc8402728 in mozilla::image::nsGIFDecoder2::DoLzw(unsigned char const*) image/decoders/nsGIFDecoder2.cpp:608:11
    #6 0x7f1cc8404046 in mozilla::image::nsGIFDecoder2::WriteInternal(char const*, unsigned int) image/decoders/nsGIFDecoder2.cpp:736:12
    #7 0x7f1cc83a7732 in mozilla::image::Decoder::Write(char const*, unsigned int) image/Decoder.cpp:183:3
    #8 0x7f1cc83a5a5c in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) image/Decoder.cpp:128:5
    #9 0x7f1cc83a5532 in mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) image/DecodePool.cpp:453:17
    #10 0x7f1cc83c6b50 in mozilla::image::DecodePoolWorker::Run() image/DecodePool.cpp:282:11
    #11 0x7f1cc61bb130 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:960:7
    #12 0x7f1cc623d53c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:277:10
    #13 0x7f1cc6b368b6 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:326:20
    #14 0x7f1cc6aa01d1 in RunInternal ipc/chromium/src/base/message_loop.cc:234:3
    #15 0x7f1cc6aa01d1 in RunHandler ipc/chromium/src/base/message_loop.cc:227
    #16 0x7f1cc6aa01d1 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:201
    #17 0x7f1cc61b6fa4 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:382:5
    #18 0x7f1cd41b92ea in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #19 0x7f1cd47fd181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
0x6040000d3024 is located 0 bytes to the right of 4-byte region [0x6040000d3020,0x6040000d3024)
allocated by thread T13 (ImgDecoder #1) here:
    #0 0x4b6dd5 in __interceptor_posix_memalign _asan_rtl_
    #1 0x7f1cc5fa9f65 in mozilla::VolatileBuffer::Init(unsigned long, unsigned long) memory/volatile/VolatileBufferFallback.cpp:35:7
    #2 0x7f1cc83deb76 in mozilla::image::AllocateBufferForImage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) image/imgFrame.cpp:77:7
    #3 0x7f1cc83de2e0 in mozilla::image::imgFrame::InitForDecoder(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, unsigned char, bool) image/imgFrame.cpp:214:13
    #4 0x7f1cc83a88f3 in mozilla::image::Decoder::AllocateFrameInternal(unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, unsigned char, mozilla::image::imgFrame*) image/Decoder.cpp:324:7
    #5 0x7f1cc83a82f3 in mozilla::image::Decoder::AllocateFrame(unsigned int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, unsigned char) image/Decoder.cpp:268:19
    #6 0x7f1cc8400a0b in mozilla::image::nsGIFDecoder2::BeginImageFrame(unsigned short) image/decoders/nsGIFDecoder2.cpp:271:10
    #7 0x7f1cc84051a3 in mozilla::image::nsGIFDecoder2::WriteInternal(char const*, unsigned int) image/decoders/nsGIFDecoder2.cpp:1106:11
    #8 0x7f1cc83a7732 in mozilla::image::Decoder::Write(char const*, unsigned int) image/Decoder.cpp:183:3
    #9 0x7f1cc83a5a5c in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) image/Decoder.cpp:128:5
    #10 0x7f1cc83a5532 in mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) image/DecodePool.cpp:453:17
    #11 0x7f1cc83c6b50 in mozilla::image::DecodePoolWorker::Run() image/DecodePool.cpp:282:11
    #12 0x7f1cc61bb130 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:960:7
    #13 0x7f1cc623d53c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:277:10
    #14 0x7f1cc6b368b6 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:326:20
    #15 0x7f1cc6aa01d1 in RunInternal ipc/chromium/src/base/message_loop.cc:234:3
    #16 0x7f1cc6aa01d1 in RunHandler ipc/chromium/src/base/message_loop.cc:227
    #17 0x7f1cc6aa01d1 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:201
    #18 0x7f1cc61b6fa4 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:382:5
    #19 0x7f1cd41b92ea in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #20 0x7f1cd47fd181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
Thread T13 (ImgDecoder #1) created by T0 (Web Content) here:
    #0 0x430269 in pthread_create _asan_rtl_
    #1 0x7f1cd41b60af in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:453:14
    #2 0x7f1cd41b5cda in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:544:12
    #3 0x7f1cc61b85d3 in nsThread::Init() xpcom/threads/nsThread.cpp:502:19
    #4 0x7f1cc61bee0f in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:249:17
    #5 0x7f1cc623c72e in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) xpcom/glue/nsThreadUtils.cpp:68:5
    #6 0x7f1cc83a41c7 in mozilla::image::DecodePool::DecodePool() image/DecodePool.cpp:355:19
    #7 0x7f1cc83a380e in mozilla::image::DecodePool::Singleton() image/DecodePool.cpp:315:22
    #8 0x7f1cc83f3ec8 in mozilla::image::InitModule() image/build/nsImageModule.cpp:95:3
    #9 0x7f1cc618a632 in Load xpcom/components/nsComponentManager.cpp:886:21
    #10 0x7f1cc618a632 in nsFactoryEntry::GetFactory() xpcom/components/nsComponentManager.cpp:1917
    #11 0x7f1cc618bd87 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1220:34
    #12 0x7f1cc618335b in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1579:10
    #13 0x7f1cc6226f91 in CallGetService xpcom/glue/nsComponentManagerUtils.cpp:67:10
    #14 0x7f1cc6226f91 in nsGetServiceByContractID::operator()(nsID const&, void**) const xpcom/glue/nsComponentManagerUtils.cpp:280
    #15 0x7f1cc621cc77 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) xpcom/glue/nsCOMPtr.cpp:103:7
    #16 0x7f1cc82268e8 in nsCOMPtr objdir-ff-asan/dist/include/nsCOMPtr.h:540:5
    #17 0x7f1cc82268e8 in gfxPlatform::Init() gfx/thebes/gfxPlatform.cpp:584
    #18 0x7f1cc82246f4 in gfxPlatform::GetPlatform() gfx/thebes/gfxPlatform.cpp:423:9
    #19 0x7f1ccb8ccc44 in mozilla::dom::ContentProcess::Init() dom/ipc/ContentProcess.cpp:83:5
    #20 0x7f1ccdebd0eb in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:601:12
    #21 0x4dbbf4 in content_process_main(int, char**) ipc/contentproc/plugin-container.cpp:237:19
    #22 0x7f1cc346cec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

Shadow bytes around the buggy address:
  0x0c08800125b0: fa fa fa fa 00 00 03 fa fa fa fa fa 00 00 03 fa
  0x0c08800125c0: fa fa fa fa 00 00 03 fa fa fa fa fa 00 00 03 fa
  0x0c08800125d0: fa fa fa fa 00 00 03 fa fa fa fa fa fd fd fd fd
  0x0c08800125e0: fa fa fa fa fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c08800125f0: fa fa fa fa 00 00 00 fa fa fa fa fa 00 00 00 fa
=>0x0c0880012600: fa fa fa fa[04]fa fa fa fa fa fa fa fd fd fd fd
  0x0c0880012610: fa fa fa fa fd fd fd fa fa fa fa fa fd fd fd fa
  0x0c0880012620: fa fa fa fa fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0880012630: fa fa fa fa fd fd fd fa fa fa fa fa fd fd fd fa
  0x0c0880012640: fa fa fa fa fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0880012650: fa fa fa fa fd fd fd fa fa fa fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19059==ABORTING
(Reporter)

Updated

3 years ago
Group: core-security
(Reporter)

Comment 1

3 years ago
Created attachment 8666562 [details]
Testcase, run test.html

Updated

3 years ago
Keywords: sec-critical

Updated

3 years ago
Flags: needinfo?(seth)
Blocks: 1206744
At least some of the crashes from this were fixed in bug 1207378, but it seems like there are some outstanding issues with that signature still.

Updated

3 years ago
Keywords: csectype-bounds
The image is 60000 pixels high. On mac we reject images that are over 32000 pixels. On other platforms we allow up to 64000. On mac nothing bad seems to happen loading the testcase (because we never create an image for it).

On Windows I am able to easily crash without the patches for bug 1207378. After I update m-c to tip (so including the patches for bug 1207378) it no longer crashes.

I am able to get a different crash if I load the image directly (instead of the html file) and hold shift-ctrl-R for a while (but only in a debug build, timing sensitive perhaps?). But I think it's an existing issue because I built m-c before bug 1194058 landed and I get the same crash. I'll post the stack.
>	xul.dll!mozilla::gfx::SourceSurfaceAlignedRawData::~SourceSurfaceAlignedRawData() Line 88	C++
 	[External Code]	
 	xul.dll!mozilla::detail::RefCounted<mozilla::gfx::SourceSurface,1>::Release() Line 145	C++
 	xul.dll!mozilla::image::RasterImage::CopyFrame(unsigned int aWhichFrame, unsigned int aFlags) Line 668	C++
 	xul.dll!mozilla::image::RasterImage::GetFrameInternal(unsigned int aWhichFrame, unsigned int aFlags) Line 740	C++
 	xul.dll!mozilla::image::RasterImage::GetFrame(unsigned int aWhichFrame, unsigned int aFlags) Line 701	C++
 	xul.dll!nsWindowGfx::CreateIcon(imgIContainer * aContainer, bool aIsCursor, unsigned int aHotspotX, unsigned int aHotspotY, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> aScaledSize, HICON__ * * aIcon) Line 587	C++
 	xul.dll!mozilla::widget::TaskbarTabPreview::SetIcon(imgIContainer * icon) Line 95	C++
 	xul.dll!NS_InvokeByIndex(nsISupports * that, unsigned int methodIndex, unsigned int paramCount, nsXPTCVariant * params) Line 71	C++
 	xul.dll!CallMethodHelper::Invoke() Line 2095	C++
 	xul.dll!CallMethodHelper::Call() Line 1417	C++
 	xul.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx, XPCWrappedNative::CallMode mode) Line 1382	C++
 	xul.dll!XPC_WN_GetterSetter(JSContext * cx, unsigned int argc, JS::Value * vp) Line 1173	C++
 	xul.dll!js::jit::DoCallNativeSetter(JSContext * cx, JS::Handle<JSFunction *> callee, JS::Handle<JSObject *> obj, JS::Handle<JS::Value> val) Line 8207	C++
 	[External Code]	
 	[Frames below may be incorrect and/or missing]
Tracking for 44. Does this affect 43 or older versions?
tracking-firefox44: --- → +
Group: core-security → gfx-core-security
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #5)
> Tracking for 44. Does this affect 43 or older versions?

I'd expect this to affect 43.

It may be best to file a new bug for the issue discussed in comment 3 and comment 4.
status-firefox43: --- → affected
Flags: needinfo?(seth)
Timothy, could you file a new issue for the crash in comment 3 and 4? It sounds like the initial issue is fixed and the remaining one isn't security-sensitive. Please reopen if that's not the case.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(tnikkel)
Resolution: --- → DUPLICATE
Duplicate of bug: 1207378
Tracking this temporarily so that I'll notice the new bugs once they're filed.
tracking-firefox43: --- → +
New bug filed: bug 1213014.

Although I don't know if it needs to be tracked, it seemed like an existing problem. Not sure how long it's been happening.
Flags: needinfo?(tnikkel)
Fixed in 43+ in bug 1207378.
status-firefox43: affected → fixed
status-firefox44: affected → fixed
Whiteboard: [adv-main43-]
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.