Closed
Bug 1231071
Opened 9 years ago
Closed 8 years ago
heap-buffer-overflow (write) at OutputRow
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
DUPLICATE
of bug 1223465
Tracking | Status | |
---|---|---|
firefox45 | --- | affected |
People
(Reporter: aki.helin, Unassigned)
Details
(Keywords: csectype-bounds, sec-critical)
Attachments
(2 files)
ASan spots a heap buffer overflow when the attached page, which just loads the attached image, is viewed. The included version seems to trigger this instantly every time, but during minimization a few reloads were occasionally required. Tested on Linux using a few recent tinderbox asan builds. The trace is very similar to the one in bug 1213744. Incomplete fix? ================================================================= ==10122==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800003ffdc at pc 0x7fb182b4059e bp 0x7fb16628abd0 sp 0x7fb16628abc8 WRITE of size 4 at 0x61800003ffdc thread T20 (ImgDecoder #3) #0 0x7fb182b4059d in OutputRow /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/decoders/nsGIFDecoder2.cpp:409 #1 0x7fb182b4147b in DoLzw /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/decoders/nsGIFDecoder2.cpp:604 #2 0x7fb182b43322 in WriteInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/decoders/nsGIFDecoder2.cpp:732 #3 0x7fb182ae5712 in Write /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/Decoder.cpp:183 #4 0x7fb182ae39cc in Decode /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/Decoder.cpp:128 #5 0x7fb182ae33f2 in Decode /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/DecodePool.cpp:453 #6 0x7fb182b01fdc in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/DecodePool.cpp:282 #7 0x7fb180b2516f in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:972 #8 0x7fb180b9e54a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #9 0x7fb18144aa9f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326 #10 0x7fb1813b80ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #11 0x7fb1813b80ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #12 0x7fb1813b80ec in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #13 0x7fb180b20e80 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:384 #14 0x7fb18e0c54b5 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #15 0x7fb18e704181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 (discriminator 2) #16 0x7fb17e56a47c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Updated•8 years ago
|
Group: core-security → gfx-core-security
Comment 2•8 years ago
|
||
It is unfortunate that this sat around unlooked at for almost a month. Edwin, does this look like a dupe of one of the other image issues that has been fixed in the interim?
Keywords: csectype-bounds,
sec-critical
Updated•8 years ago
|
Flags: needinfo?(edwin)
Yes, looks like a dupe of bug 1223465.
Flags: needinfo?(edwin)
Comment 5•8 years ago
|
||
FWIW, this was reported a week or so after that other bug was fixed on trunk so somebody should probably verify this is actually fixed.
I downloaded http://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/latest/firefox-44.0a1.en-US.linux-x86_64-asan.tar.bz2 and got after a few reloads: ================================================================= ==3067==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800009ffdc at pc 0x7fe0dac2f59e bp 0x7fe0bf9d5bd0 sp 0x7fe0bf9d5bc8 WRITE of size 4 at 0x61800009ffdc thread T18 (ImgDecoder #1) #0 0x7fe0dac2f59d in OutputRow /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/decoders/nsGIFDecoder2.cpp:409 #1 0x7fe0dac3047b in DoLzw /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/decoders/nsGIFDecoder2.cpp:604 #2 0x7fe0dac32322 in WriteInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/decoders/nsGIFDecoder2.cpp:732 #3 0x7fe0dabd4712 in Write /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/Decoder.cpp:183 #4 0x7fe0dabd29cc in Decode /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/Decoder.cpp:128 #5 0x7fe0dabd23f2 in Decode /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/DecodePool.cpp:453 #6 0x7fe0dabf0fdc in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/DecodePool.cpp:282 #7 0x7fe0d8c1416f in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:972 #8 0x7fe0d8c8d54a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #9 0x7fe0d9539a9f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326 #10 0x7fe0d94a70ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #11 0x7fe0d94a70ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #12 0x7fe0d94a70ec in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #13 0x7fe0d8c0fe80 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:384 #14 0x7fe0e61b44b5 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #15 0x7fe0e67f3181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 (discriminator 2) #16 0x7fe0d665947c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(In reply to Aki Helin from comment #6) > I downloaded > http://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64- > asan/latest/firefox-44.0a1.en-US.linux-x86_64-asan.tar.bz2 That build is from mid-October.
Comment 8•8 years ago
|
||
(In reply to Edwin Flores [:eflores] [:edwin] from comment #7) > (In reply to Aki Helin from comment #6) > > I downloaded > > http://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64- > > asan/latest/firefox-44.0a1.en-US.linux-x86_64-asan.tar.bz2 > > That build is from mid-October. I've been told that those builds are being deprecated. You can still get builds off of there but the "latest" is no longer updated. Aki: I've been told to get build from here: https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan
Comment 9•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #5) > FWIW, this was reported a week or so after that other bug was fixed on trunk > so somebody should probably verify this is actually fixed. I re-ran 12K iterations with no fuzzing and light fuzzing of this test case and did not find any results.
Comment 10•8 years ago
|
||
(In reply to Aki Helin from comment #6) > I downloaded > http://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64- > asan/latest/firefox-44.0a1.en-US.linux-x86_64-asan.tar.bz2 Unfortunately, ftp.mozilla.org is defunct, so the "latest" version there is fairly old. You have to look at https://archive.mozilla.org/ though I think for ASan there's no simple "latest"... (See bug 1226696.)
Comment 11•8 years ago
|
||
I filed bug 1237121 about getting that out-of-date ftp.mozilla.org directory removed.
Reporter | ||
Comment 12•8 years ago
|
||
Oh, I hadn't noticed latest/ had stopped being latest. Good idea to remove it. Thanks! I'll update my script to take the biggest id from archive.mozilla.org for now.
Updated•8 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•