Closed
Bug 1262333
Opened 8 years ago
Closed 8 years ago
heap-buffer-overflow read in [@mozilla::image::Downscaler::CommitRow]
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
DUPLICATE
of bug 1249578
People
(Reporter: tsmith, Assigned: tnikkel)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, sec-high, testcase, Whiteboard: [gfx-noted])
Attachments
(3 files)
test_case.ico
This may be a dup of bug 1249578. ==64847==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000297980 at pc 0x7f24c4a5bcd1 bp 0x7f24a01f1960 sp 0x7f24a01f1958 READ of size 8 at 0x604000297980 thread T36 (ImgDecoder #2) #0 0x7f24c4a5bcd0 in mozilla::image::Downscaler::CommitRow() /builds/slave/m-cen-l64-asan-000000000000000/build/src/image/Downscaler.cpp:230 ... See attached log.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
Assignee | |
Comment 3•8 years ago
|
||
Hmm, I don't get an asserts when loading this (haven't tried with ASAN or valgrind yet).
|
|
Assignee | |
Comment 4•8 years ago
|
||
If I make the img 40px x 40px then I can trigger the assert from bug 1249578. Which makes sense since the ico file says the embedded png is 256x256, but it really is 32x32.
|
|
Reporter | |
Comment 5•8 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #4) > If I make the img 40px x 40px then I can trigger the assert from bug > 1249578. Which makes sense since the ico file says the embedded png is > 256x256, but it really is 32x32. So it sounds like the assert is incomplete or this is a different bug all together?
|
|
Assignee | |
Comment 6•8 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #5) > (In reply to Timothy Nikkel (:tnikkel) from comment #4) > > If I make the img 40px x 40px then I can trigger the assert from bug > > 1249578. Which makes sense since the ico file says the embedded png is > > 256x256, but it really is 32x32. > > So it sounds like the assert is incomplete or this is a different bug all > together? Nevermind, I was testing on a retina screen. If I test on non-retina screen then it asserts. This makes sense since 224 * 2 is larger than 256 (the size the ico claims to be). So this is likely the same issue basic issue, although this testcase makes things go much more wrong than bug 1249578 (but we already knew that was possible).
|
||
Updated•8 years ago
|
Assignee: nobody → tnikkel
|
|
||
Updated•8 years ago
|
Whiteboard: [gfx-noted]
|
||
Comment 7•8 years ago
|
||
Timothy, have you managed to look at this yet? Thanks.
Flags: needinfo?(tnikkel)
|
||
Comment 8•8 years ago
|
||
Sec high, assuming 49 is affected here at least.
status-firefox48:
--- → ?
status-firefox49:
--- → ?
status-firefox50:
--- → ?
tracking-firefox49:
--- → +
tracking-firefox50:
--- → +
|
|
Assignee | |
Comment 9•8 years ago
|
||
I already looked at this. It's the same issue as bug 1249578. Fixing bug 1249578 should fix this bug.
Flags: needinfo?(tnikkel)
|
|
||
Comment 10•8 years ago
|
||
Bug 1249578 has landed. Can you confirm that this issue is fixed and close the bug, Tyson? Thanks.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 11•8 years ago
|
||
Looks good.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•8 years ago
|
Resolution: FIXED → DUPLICATE
|
||
Comment 13•8 years ago
|
||
Removing tracking nom and status flags as this is well tracked in the duplicate bug and the issue is verified as fixed.
status-firefox48:
? → ---
status-firefox49:
? → ---
status-firefox50:
? → ---
tracking-firefox49:
+ → ---
tracking-firefox50:
+ → ---
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•