Closed
Bug 1235469
Opened 9 years ago
Closed 8 years ago
Heap-buffer-overflow [@ gldBlitFramebufferData] with canvas, shadow, drawImage(HTMLVideoElement)
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jruderman, Assigned: pchang)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [gfx-noted])
Attachments
(5 files)
Same testcase as bug 1225250, crashes again on mozilla-central, at least with ASan. I haven't gotten non-ASan builds to crash with this testcase.
You'll need to adjust the testcase so it points to your copy of layout/reftests/webm-video/frames.webm (in your mozilla-central tree or tests zip). Any other video file will probably crash too, but an image file won't.
|
Reporter | |
Comment 1•9 years ago
|
||
|
||
Updated•9 years ago
|
Assignee: nobody → lsalzman
|
||
Comment 2•9 years ago
|
||
I tried to reproduce this on Linux with accelerated Skia on an ASan build, but I was not able to get it to reproduce at all.
I'm CC'ing this over to Mason to see if he wants to test it on OS X and can get it to reproduce for him.
Assignee: lsalzman → nobody
OS: Unspecified → Mac OS X
Whiteboard: [gfx-noted]
|
||
Comment 3•9 years ago
|
||
From https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer, it looks like mac ASAN builds aren't really supported at the moment, and only linux builds are. There are some instructions on how to build ASAN on OS X here - https://bugzilla.mozilla.org/show_bug.cgi?id=1026162#c7. How are you building ASAN builds?
Flags: needinfo?(jruderman)
|
||
Comment 4•9 years ago
|
||
Mason,
The fuzzing team builds Mac ASAN every day.
AFAIK, https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer#Adjusting_the_build_configuration is the instruction set.
CC'ing Decoder.
|
|
||
Comment 5•9 years ago
|
||
I'm getting a lot of linker errors with an ASAN build from following the instructions at https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer#Adjusting_the_build_configuration. I also compiled my own LLVM / Clang to get the llvm-symbolizer working and that didn't seem to fix the compile error.
|
|
||
Comment 6•9 years ago
|
||
Traditionally, ASAN compilation has been very sensitive to clang revisions. What version of LLVM are you using?
|
|
||
Comment 7•9 years ago
|
||
(In reply to Mason Chang [:mchang] from comment #5)
> Created attachment 8720590 [details]
> Compile error log
>
> I'm getting a lot of linker errors with an ASAN build from following the
> instructions at
> https://developer.mozilla.org/en-US/docs/Mozilla/Testing/
> Firefox_and_Address_Sanitizer#Adjusting_the_build_configuration. I also
> compiled my own LLVM / Clang to get the llvm-symbolizer working and that
> didn't seem to fix the compile error.
I've tried both with clang that comes with OS X El Capitan:
clang --version
Apple LLVM version 7.0.2 (clang-700.1.81)
Target: x86_64-apple-darwin15.3.0
Thread model: posix
And locally built:
./clang --version
clang version 3.7.1 (tags/RELEASE_371/final)
Target: x86_64-apple-darwin15.3.0
Thread model: posix
|
|
||
Comment 8•9 years ago
|
||
At https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer it suggests:
REV=200213
with a big bold note that says:
It is NOT advised to use system-supplied versions of clang for ASAN builds; they may have issues or instabilities when used to build/test Firefox. The versions given are known to work.
|
|
||
Comment 9•9 years ago
|
||
|
|
||
Comment 10•9 years ago
|
||
Some new different errors even using the specific clang version:
# For MacOSX, please use at least r214699.
I also downloaded the 10.8 SDK since I'm on 10.11, same error.
Peter, can somebody in Taipei do the ASAN build?
Flags: needinfo?(howareyou322)
|
Assignee | |
Comment 12•9 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #11)
> Peter, can somebody in Taipei do the ASAN build?
I can try to build ASAN build on OSX first.
|
|
Assignee | |
Comment 13•9 years ago
|
||
(In reply to Jesse Ruderman from comment #0)
> Created attachment 8702419 [details]
> testcase (may crash Firefox) (requires path adjustment)
>
> Same testcase as bug 1225250, crashes again on mozilla-central, at least
> with ASan. I haven't gotten non-ASan builds to crash with this testcase.
>
> You'll need to adjust the testcase so it points to your copy of
> layout/reftests/webm-video/frames.webm (in your mozilla-central tree or
> tests zip). Any other video file will probably crash too, but an image file
> won't.
I just built the ASAN build on OSX but I couldn't reproduce this issue after modifying video path.
Jesse, are you able to reproduce this issue?
Flags: needinfo?(howareyou322)
Assigning while Peter is looking into this.
Assignee: nobody → howareyou322
|
|
Assignee | |
Comment 15•9 years ago
|
||
Jesse, as comment in 13, are you able to reproduce this issue now?
|
|
||
Comment 16•8 years ago
|
||
Schwartzentruber, can you look at this?
Flags: needinfo?(jruderman) → needinfo?(jschwartzentruber)
|
||
Comment 17•8 years ago
|
||
I'm also unable to reproduce, but... the crash is in the Geforce driver, which I don't have.
Flags: needinfo?(jschwartzentruber)
|
||
Updated•8 years ago
|
status-firefox46:
affected → ---
|
|
||
Comment 18•8 years ago
|
||
No way forward and there isn't further information to reproduce this. Closing as incomplete. If someone finds a way to reproduce it, please re-open.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
|
||
Updated•5 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•