Closed Bug 1251503 Opened 9 years ago Closed 9 years ago

Heap-buffer-overflow in fast_composite_tiled_repeat

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1250947
Tracking Flags:
Tracking Status
firefox47 --- affected

People

(Reporter: inferno, Assigned: mchang)

References

Details

(Keywords: csectype-bounds, sec-high)

Attachments

(1 file)

Testcase
264 bytes, text/html
Details
Attached file Testcase
>================================================================= >==24614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0a58eba51c at pc 0x7f0a941e13af bp 0x7fff5f691d90 sp 0x7fff5f691d88 >READ of size 4 at 0x7f0a58eba51c thread T0 (Web Content) > #0 0x7f0a941e13ae in fast_composite_tiled_repeat /build/firefox/src/gfx/cairo/libpixman/src/pixman-fast-path.c:1520:22 > #1 0x7f0a9426a3b7 in _moz_pixman_image_composite32 /build/firefox/src/gfx/cairo/libpixman/src/pixman.c:707:2 > #2 0x7f0a9407a773 in _composite_boxes /build/firefox/src/gfx/cairo/cairo/src/cairo-image-surface.c:3038:3 > #3 0x7f0a9407a773 in _clip_and_composite_boxes /build/firefox/src/gfx/cairo/cairo/src/cairo-image-surface.c:3077 > #4 0x7f0a9406b58f in _cairo_image_surface_fill /build/firefox/src/gfx/cairo/cairo/src/cairo-image-surface.c:3787:15 > #5 0x7f0a940d7a1d in _cairo_surface_fill /build/firefox/src/gfx/cairo/cairo/src/cairo-surface.c:2348:11 > #6 0x7f0a9405e362 in _cairo_gstate_fill /build/firefox/src/gfx/cairo/cairo/src/cairo-gstate.c:1290:15 > #7 0x7f0a94104ecd in _moz_cairo_fill_preserve /build/firefox/src/gfx/cairo/cairo/src/cairo.c:2473:14 > #8 0x7f0a8d3d8e31 in mozilla::gfx::DrawTargetCairo::DrawPattern(mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::DrawTargetCairo::DrawPatternType, bool) /build/firefox/src/gfx/2d/DrawTargetCairo.cpp:1001:7 > #9 0x7f0a8d3daf5d in mozilla::gfx::DrawTargetCairo::FillRect(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) /build/firefox/src/gfx/2d/DrawTargetCairo.cpp:1058:3 > #10 0x7f0a8d935713 in RepeatOrStretchSurface(mozilla::gfx::DrawTarget&, mozilla::gfx::SourceSurface*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>&) /build/firefox/src/gfx/thebes/gfxBlur.cpp:613:3 > #11 0x7f0a8d934699 in DrawBoxShadows(mozilla::gfx::DrawTarget&, mozilla::gfx::SourceSurface*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>) /build/firefox/src/gfx/thebes/gfxBlur.cpp:662:3 > #12 0x7f0a8d939cd6 in gfxAlphaBoxBlur::BlurInsetBox(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::Color const&, bool, mozilla::gfx::RectCornerRadii const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>) /build/firefox/src/gfx/thebes/gfxBlur.cpp:1083:5 > #13 0x7f0a9200e21b in nsContextBoxBlur::InsetBoxBlur(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::Color&, int, int, int, bool, mozilla::gfx::RectCornerRadii&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>) /build/firefox/src/layout/base/nsCSSRendering.cpp:5659:3 > #14 0x7f0a9200c0d3 in nsCSSRendering::PaintBoxShadowInner(nsPresContext*, nsRenderingContext&, nsIFrame*, nsRect const&) /build/firefox/src/layout/base/nsCSSRendering.cpp:1634:5 > #15 0x7f0a9208708c in nsDisplayBoxShadowInner::Paint(nsDisplayListBuilder*, nsRenderingContext*) /build/firefox/src/layout/base/nsDisplayList.cpp:3820:5 > #16 0x7f0a91f30bb6 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /build/firefox/src/layout/base/FrameLayerBuilder.cpp:5660:9 > #17 0x7f0a91f338cf in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /build/firefox/src/layout/base/FrameLayerBuilder.cpp:5833:5 > #18 0x7f0a8d708e85 in mozilla::layers::ClientPaintedLayer::PaintThebes() /build/firefox/src/gfx/layers/client/ClientPaintedLayer.cpp:94:5 > #19 0x7f0a8d709bc9 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /build/firefox/src/gfx/layers/client/ClientPaintedLayer.cpp:148:3 > #20 0x7f0a8d734a07 in mozilla::layers::ClientContainerLayer::RenderLayer() /build/firefox/src/gfx/layers/client/ClientContainerLayer.h:65:7 > #21 0x7f0a8d704050 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /build/firefox/src/gfx/layers/client/ClientLayerManager.cpp:281:3 > #22 0x7f0a8d7045cb in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /build/firefox/src/gfx/layers/client/ClientLayerManager.cpp:324:3 > #23 0x7f0a92061fc1 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /build/firefox/src/layout/base/nsDisplayList.cpp:1806:3 > #24 0x7f0a92121c01 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) /build/firefox/src/layout/base/nsLayoutUtils.cpp:3474:5 > #25 0x7f0a921aeb1b in PresShell::Paint(nsView*, nsRegion const&, unsigned int) /build/firefox/src/layout/base/nsPresShell.cpp:6049:5 > #26 0x7f0a917738fe in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /build/firefox/src/view/nsViewManager.cpp:467:7 > #27 0x7f0a9177296e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /build/firefox/src/view/nsViewManager.cpp:398:9 > #28 0x7f0a91eb75ec in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /build/firefox/src/layout/base/nsRefreshDriver.cpp:1893:5 > #29 0x7f0a91ec155b in TickDriver /build/firefox/src/layout/base/nsRefreshDriver.cpp:274:5 > #30 0x7f0a91ec155b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /build/firefox/src/layout/base/nsRefreshDriver.cpp:246 > #31 0x7f0a91ec11d9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /build/firefox/src/layout/base/nsRefreshDriver.cpp:265:5 > #32 0x7f0a91ec2f84 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /build/firefox/src/layout/base/nsRefreshDriver.cpp:425:9 > #33 0x7f0a9281d514 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /build/firefox/src/layout/ipc/VsyncChild.cpp:64:5 > #34 0x7f0a8c6be620 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /build/firefox/src/objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:233:20 > #35 0x7f0a8c1b5434 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /build/firefox/src/objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:1721:16 > #36 0x7f0a8c0fa919 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /build/firefox/src/ipc/glue/MessageChannel.cpp:1444:14 > #37 0x7f0a8c0f74cc in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /build/firefox/src/ipc/glue/MessageChannel.cpp:1384:17 > #38 0x7f0a8c0e46f9 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /build/firefox/src/ipc/glue/MessageChannel.cpp:1353:5 > #39 0x7f0a8c067d6e in RunTask /build/firefox/src/ipc/chromium/src/base/message_loop.cc:364:3 > #40 0x7f0a8c067d6e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /build/firefox/src/ipc/chromium/src/base/message_loop.cc:372 > #41 0x7f0a8c068caa in MessageLoop::DoWork() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:459:13 > #42 0x7f0a8c102f72 in mozilla::ipc::DoWorkRunnable::Run() /build/firefox/src/ipc/glue/MessagePump.cpp:220:3 > #43 0x7f0a8b6cc825 in nsThread::ProcessNextEvent(bool, bool*) /build/firefox/src/xpcom/threads/nsThread.cpp:1018:7 > #44 0x7f0a8b74c4dc in NS_ProcessNextEvent(nsIThread*, bool) /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:297:10 > #45 0x7f0a8c1025be in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /build/firefox/src/ipc/glue/MessagePump.cpp:95:21 > #46 0x7f0a8c066cf1 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234:3 > #47 0x7f0a8c066cf1 in RunHandler /build/firefox/src/ipc/chromium/src/base/message_loop.cc:227 > #48 0x7f0a8c066cf1 in MessageLoop::Run() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:201 > #49 0x7f0a917d629f in nsBaseAppShell::Run() /build/firefox/src/widget/nsBaseAppShell.cpp:156:3 > #50 0x7f0a9387bb33 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:789:12 > #51 0x7f0a8c066cf1 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234:3 > #52 0x7f0a8c066cf1 in RunHandler /build/firefox/src/ipc/chromium/src/base/message_loop.cc:227 > #53 0x7f0a8c066cf1 in MessageLoop::Run() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:201 > #54 0x7f0a9387b0d9 in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:625:7 > #55 0x4ea59e in content_process_main(int, char**) /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:237:19 > #56 0x7f0a88827ec4 in __libc_start_main > #57 0x41dbc6 in _start > >0x7f0a58eba51c is located 1116 bytes to the right of 465088-byte region [0x7f0a58e48800,0x7f0a58eba0c0) >allocated by thread T0 (Web Content) here: > #0 0x4ba2e0 in __interceptor_posix_memalign _asan_rtl_ > #1 0x7f0a8d9b49cb in TryAllocAlignedBytes /build/firefox/src/gfx/thebes/gfxImageSurface.cpp:99:12 > #2 0x7f0a8d9b49cb in gfxImageSurface::AllocateAndInit(long, int, bool) /build/firefox/src/gfx/thebes/gfxImageSurface.cpp:136 > #3 0x7f0a8d91eca7 in gfxPlatformGtk::CreateOffscreenSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /build/firefox/src/gfx/thebes/gfxPlatformGtk.cpp:134:30 > #4 0x7f0a8d91424b in CreateDrawTargetForBackend /build/firefox/src/gfx/thebes/gfxPlatform.cpp:1321:32 > #5 0x7f0a8d91424b in gfxPlatform::CreateOffscreenContentDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) /build/firefox/src/gfx/thebes/gfxPlatform.cpp:1354 > #6 0x7f0a8d9390e8 in CreateBoxShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::Color const&) /build/firefox/src/gfx/thebes/gfxBlur.cpp:503:5 > #7 0x7f0a8d936fb3 in gfxAlphaBoxBlur::GetInsetBlur(mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectCornerRadii const&, mozilla::gfx::Color const&, bool const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, bool&, mozilla::gfx::DrawTarget*) /build/firefox/src/gfx/thebes/gfxBlur.cpp:998:40 > #8 0x7f0a8d93975a in gfxAlphaBoxBlur::BlurInsetBox(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::Color const&, bool, mozilla::gfx::RectCornerRadii const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>) /build/firefox/src/gfx/thebes/gfxBlur.cpp:1058:40 > #9 0x7f0a9200e21b in nsContextBoxBlur::InsetBoxBlur(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::Color&, int, int, int, bool, mozilla::gfx::RectCornerRadii&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float>, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>) /build/firefox/src/layout/base/nsCSSRendering.cpp:5659:3 > #10 0x7f0a9200c0d3 in nsCSSRendering::PaintBoxShadowInner(nsPresContext*, nsRenderingContext&, nsIFrame*, nsRect const&) /build/firefox/src/layout/base/nsCSSRendering.cpp:1634:5 > #11 0x7f0a9208708c in nsDisplayBoxShadowInner::Paint(nsDisplayListBuilder*, nsRenderingContext*) /build/firefox/src/layout/base/nsDisplayList.cpp:3820:5 > #12 0x7f0a91f30bb6 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /build/firefox/src/layout/base/FrameLayerBuilder.cpp:5660:9 > #13 0x7f0a91f338cf in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /build/firefox/src/layout/base/FrameLayerBuilder.cpp:5833:5 > #14 0x7f0a8d708e85 in mozilla::layers::ClientPaintedLayer::PaintThebes() /build/firefox/src/gfx/layers/client/ClientPaintedLayer.cpp:94:5 > #15 0x7f0a8d709bc9 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /build/firefox/src/gfx/layers/client/ClientPaintedLayer.cpp:148:3 > #16 0x7f0a8d734a07 in mozilla::layers::ClientContainerLayer::RenderLayer() /build/firefox/src/gfx/layers/client/ClientContainerLayer.h:65:7 > #17 0x7f0a8d704050 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /build/firefox/src/gfx/layers/client/ClientLayerManager.cpp:281:3 > #18 0x7f0a8d7045cb in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /build/firefox/src/gfx/layers/client/ClientLayerManager.cpp:324:3 > #19 0x7f0a92061fc1 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /build/firefox/src/layout/base/nsDisplayList.cpp:1806:3 > #20 0x7f0a92121c01 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) /build/firefox/src/layout/base/nsLayoutUtils.cpp:3474:5 > #21 0x7f0a921aeb1b in PresShell::Paint(nsView*, nsRegion const&, unsigned int) /build/firefox/src/layout/base/nsPresShell.cpp:6049:5 > #22 0x7f0a917738fe in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /build/firefox/src/view/nsViewManager.cpp:467:7 > #23 0x7f0a9177296e in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /build/firefox/src/view/nsViewManager.cpp:398:9 > #24 0x7f0a91eb75ec in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /build/firefox/src/layout/base/nsRefreshDriver.cpp:1893:5 > #25 0x7f0a91ec155b in TickDriver /build/firefox/src/layout/base/nsRefreshDriver.cpp:274:5 > #26 0x7f0a91ec155b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /build/firefox/src/layout/base/nsRefreshDriver.cpp:246 > #27 0x7f0a91ec11d9 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /build/firefox/src/layout/base/nsRefreshDriver.cpp:265:5 > #28 0x7f0a91ec2f84 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /build/firefox/src/layout/base/nsRefreshDriver.cpp:425:9 > #29 0x7f0a9281d514 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /build/firefox/src/layout/ipc/VsyncChild.cpp:64:5 > #30 0x7f0a8c6be620 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /build/firefox/src/objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:233:20 > #31 0x7f0a8c1b5434 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /build/firefox/src/objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:1721:16 > #32 0x7f0a8c0fa919 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /build/firefox/src/ipc/glue/MessageChannel.cpp:1444:14 > >SUMMARY: AddressSanitizer: heap-buffer-overflow (/build/firefox/src/objdir-ff-asan/dist/bin/libxul.so+0xa9ea3ae) >Shadow bytes around the buggy address: > 0x0fe1cb1cf450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x0fe1cb1cf4a0: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0fe1cb1cf4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==24614==ABORTING
Group: core-security → gfx-core-security
Keywords: csectype-bounds, sec-high
Lee, can you reproduce this?
Assignee: nobody → lsalzman
This issue was resolved by fixes for bug 1250947 that landed this week. I am handing this bug off to Mason so he can decide if he wants to dup it or otherwise.
Assignee: lsalzman → mchang
Component: GFX: Color Management → Graphics
Depends on: 1250947
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: