Crash in skia::ConvolveHorizontally_SSE2 skia::ConvolveHorizontally mozilla::image::Downscaler::CommitRow mozilla::image::nsGIFDecoder2::OutputRow mozilla::image::nsGIFDecoder2::DoLzw

VERIFIED FIXED

Status

()

defect
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: cbook, Assigned: seth)

Tracking

(Blocks 1 bug, 4 keywords)

unspecified
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox42 unaffected, firefox43+ wontfix, firefox44+ fixed, firefox45+ fixed, firefox46+ verified, firefox-esr38 unaffected, firefox-esr45 verified, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected, b2g-v2.5 affected, b2g-v2.2r unaffected, b2g-master affected)

Details

(Whiteboard: [gfx-noted][adv-main44+], )

Attachments

(3 attachments)

Reporter

Description

4 years ago
found another crash via bughunter reported up from mozilla-central to beta. Was able to reproduce this on a trunk m-c debug build  on windows 7 based on trunk

no idea if this is one of the known bugs so filing 

Steps to reproduce:
Load http://www.hamienet.com/catl6950.html

skia::ConvolveHorizontally_SSE2 skia::ConvolveHorizontally mozilla::image::Downscaler::CommitRow mozilla::image::nsGIFDecoder2::OutputRow mozilla::image::nsGIFDecoder2::DoLzw

one report was marked as exploitable-> high
Reporter

Comment 1

4 years ago
from irc:

6:59 <seth> I hope it's not from those patches we uplifted to fix the previous bug =(((
07:01 <seth> yeah, sounds like it might be a regression from that uplift then, but worth verifying
07:01 <seth> that would really be the thing to check
07:02 <seth> if we can confirm that we can prolly fix it quickly

..building a beta build now to confirm
Reporter

Comment 2

4 years ago
(In reply to Carsten Book [:Tomcat] from comment #1)

> ..building a beta build now to confirm

confirmed, beta build crashed too (tests on a new mac 10.11 debug build), so i guess its a regression

Process:               firefox-bin [45496]
Path:                  /sheriffs/*/NightlyDebug.app/Contents/MacOS/./firefox-bin
Identifier:            org.mozilla.nightlydebug
Version:               43.0 (4315.12.8)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Terminal [459]
User ID:               502

Date/Time:             2015-12-08 16:45:50.026 +0100
OS Version:            Mac OS X 10.11.1 (15B42)
Report Version:        11
Anonymous UUID:        69A95C98-72C9-37AF-067D-60C64901294F


Time Awake Since Boot: 33000 seconds

System Integrity Protection: enabled

Crashed Thread:        35  ImgDecoder #5

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000

Thread 35 Crashed:: ImgDecoder #5
0   XUL                           	0x00000001023fba73 mozilla::image::Downscaler::CommitRow() + 627 (Downscaler.cpp:202)
1   XUL                           	0x00000001023fb797 mozilla::image::Deinterlacer::PropagatePassToDownscaler(mozilla::image::Downscaler&) + 87 (Deinterlacer.cpp:38)
2   XUL                           	0x0000000102421ff9 mozilla::image::nsGIFDecoder2::OutputRow() + 761 (nsGIFDecoder2.cpp:490)
3   XUL                           	0x0000000102422563 mozilla::image::nsGIFDecoder2::DoLzw(unsigned char const*) + 915 (nsGIFDecoder2.cpp:575)
4   XUL                           	0x0000000102422dcd mozilla::image::nsGIFDecoder2::WriteInternal(char const*, unsigned int) + 1693 (nsGIFDecoder2.cpp:759)
5   XUL                           	0x00000001023f9b53 mozilla::image::Decoder::Write(char const*, unsigned int) + 147 (Decoder.cpp:183)
6   XUL                           	0x00000001023f8f34 mozilla::image::Decoder::Decode(mozilla::image::IResumable*) + 212 (Decoder.h:203)
7   XUL                           	0x00000001023f8c2c mozilla::image::DecodePool::Decode(mozilla::image::Decoder*) + 28 (DecodePool.cpp:458)
8   XUL                           	0x0000000102406ead mozilla::image::DecodePoolWorker::Run() + 445 (nsRefPtr.h:56)
9   XUL                           	0x00000001015fec07 nsThread::ProcessNextEvent(bool, bool*) + 1479 (nsCOMPtr.h:403)
10  XUL                           	0x000000010163ccf3 NS_ProcessNextEvent(nsIThread*, bool) + 51 (nsThreadUtils.cpp:277)
11  XUL                           	0x00000001019dd0ff mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) + 415 (MessagePump.cpp:355)
12  XUL                           	0x00000001019a707c MessageLoop::Run() + 60 (message_loop.cc:520)
13  XUL                           	0x00000001015fcad5 nsThread::ThreadFunc(void*) + 357 (nsThread.cpp:381)
14  libnss3.dylib                 	0x00000001013356e9 _pt_root + 281 (ptthread.c:215)
15  libsystem_pthread.dylib       	0x00007fff8b4b69b1 _pthread_body + 131
16  libsystem_pthread.dylib       	0x00007fff8b4b692e _pthread_start + 168
17  libsystem_pthread.dylib       	0x00007fff8b4b4385 thread_start + 13
Flags: needinfo?(seth)
Keywords: regression

Comment 4

4 years ago
See Bug 1229825 - AddressSanitizer: heap-buffer-overflow in mozilla::image::Deinterlacer::PropagatePassToDownscaler

Comment 5

4 years ago
putting the assertion into a comment for search goodness...

Assertion failure: mCurrentInLine < mOriginalSize.height (Past end of input), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/image/Downscaler.cpp:201
Keywords: assertion
Component: GFX: Color Management → ImageLib
Whiteboard: [gfx-noted]
Keywords: sec-high
Group: core-security → gfx-core-security
Posted file asan_log.txt
This has been a pain to track down because the site doesn't reliably crash every time. However, force-reloading a few times was usually enough to make a build crash if it was going to.

https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=85b3e7100079de30cf23737c9ed2a1be6da13b12&tochange=6126225bbb9311e8279825af2457790d9f4d8e66

Looks like a straight-up regression from bug 1194058. I've also verified that the site doesn't crash on ESR38.5, which would seem to bolster that.
Tracked for FF44 since it's a sec-high.
Assignee: nobody → seth
Recent regression, sec-high, tracking for 43+. Wontfix for 43 as this isn't bad enough to drive a dot release.
After debugging this appears to be the same problem as bug 1229825. The patch in that bug fixes it for me.
Flags: needinfo?(seth)
Resolved fixed based on comment 10. Please let me know if that is not the case.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Comment 12

4 years ago
I'm not sure. http://www.bottari.pl appears to be a problem. But I'll comment in Bug 1224200.
Group: gfx-core-security → core-security-release
Whiteboard: [gfx-noted] → [gfx-noted][adv-main44+]
Reproduced with Nightly debug from 2015-12-15, under Mac OS X 10.11.1 ⇒ “Assertion failure: mCurrentInLine < mOriginalSize.height (Past end of input), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/image/Downscaler.cpp:201” (as in comment 5) is displayed via Terminal and with Nightly from 2015-12-15, under Windows 10 64-bit, I get a crash with [@ skia::ConvolveVertically_SSE2_impl<T> ] signature [1].
Verified fixed with 46.0b11 (Build ID: 20160414152344) and esr45 tinderbox build (Build ID: 20160420001509), across platforms [2].


[1] bp-9c89a36e-1998-4d2d-ad51-847272160420
[2] Windows 10 64-bit, Mac OS X 10.11.1 and Ubuntu 14.04 64-bit
Status: RESOLVED → VERIFIED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.