Heap-buffer-overflow in LoadIntegralRowFromRow

RESOLVED FIXED

Status

()

Core
GFX: Color Management
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Abhishek Arya, Unassigned)

Tracking

({csectype-bounds, regression, sec-high})

Trunk
csectype-bounds, regression, sec-high
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox47 unaffected, firefox48 fixed, firefox49 fixed, firefox-esr45 unaffected)

Details

(Whiteboard: [gfx-noted])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8743303 [details]
mytest.html

==30392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000212871 at pc 0x7fa69885bdc4 bp 0x7ffdcb76a7d0 sp 0x7ffdcb76a7c8
READ of size 1 at 0x603000212871 thread T0 (Web Content)
    #0 0x7fa69885bdc3 in LoadIntegralRowFromRow gfx/2d/BlurSSE2.cpp:55:22
    #1 0x7fa69885bdc3 in GenerateIntegralImage_SSE2 gfx/2d/BlurSSE2.cpp:92
    #2 0x7fa69885bdc3 in mozilla::gfx::AlphaBoxBlur::BoxBlur_SSE2(unsigned char*, int, int, int, int, unsigned int*, unsigned long) gfx/2d/BlurSSE2.cpp:225
    #3 0x7fa69889a84f in mozilla::gfx::AlphaBoxBlur::Blur(unsigned char*) gfx/2d/Blur.cpp:553:9
    #4 0x7fa69885e71a in mozilla::gfx::DrawTargetSkia::DrawSurfaceWithShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Color const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, mozilla::gfx::CompositionOp) gfx/2d/DrawTargetSkia.cpp:456:5
    #5 0x7fa69b34d998 in mozilla::dom::AdjustedTargetForShadow::~AdjustedTargetForShadow() dom/canvas/CanvasRenderingContext2D.cpp:487:5
    #6 0x7fa69b2f851e in operator() mfbt/UniquePtr.h:528:5
    #7 0x7fa69b2f851e in reset mfbt/UniquePtr.h:343
    #8 0x7fa69b2f851e in mozilla::dom::AdjustedTarget::~AdjustedTarget() dom/canvas/CanvasRenderingContext2D.cpp:589
    #9 0x7fa69b2feaf7 in mozilla::dom::CanvasRenderingContext2D::Stroke() dom/canvas/CanvasRenderingContext2D.cpp:2823:3
    #10 0x7fa69a4e673b in mozilla::dom::CanvasRenderingContext2DBinding::stroke(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/CanvasRenderingContext2DBinding.cpp:3415:7
    #11 0x7fa69b22849a in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2778:13
    #12 0x7fa6a121a305 in CallJSNative js/src/jscntxtinlines.h:235:15
    #13 0x7fa6a121a305 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:468
    #14 0x7fa6a120302c in CallFromStack js/src/vm/Interpreter.cpp:531:12
    #15 0x7fa6a120302c in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2831
    #16 0x7fa6a11e7586 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:426:12
    #17 0x7fa6a121c4c8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:704:15
    #18 0x7fa6a0ba1d1b in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:327:12
    #19 0x7fa6a0ba28be in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:439:12
    #20 0x7fa6a11f1e13 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2746:14
    #21 0x7fa6a11e7586 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:426:12
    #22 0x7fa6a121a51b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:498:15
    #23 0x7fa6a11cd581 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:544:10
    #24 0x7fa6a0d3ee40 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:2919:12
    #25 0x7fa69ae94ba9 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) objdir-ff-asan/dom/bindings/FunctionBinding.cpp:36:8
    #26 0x7fa6991bb806 in Call<nsCOMPtr<nsISupports> > objdir-ff-asan/dist/include/mozilla/dom/FunctionBinding.h:64:12
    #27 0x7fa6991bb806 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) dom/base/nsGlobalWindow.cpp:11961
    #28 0x7fa699199f7b in nsGlobalWindow::RunTimeout(nsTimeout*) dom/base/nsGlobalWindow.cpp:12210:32
    #29 0x7fa699138281 in nsGlobalWindow::TimerCallback(nsITimer*, void*) dom/base/nsGlobalWindow.cpp:12456:3
    #30 0x7fa696840345 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:524:7
    #31 0x7fa6968181fc in nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:286:3
    #32 0x7fa696824b35 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:994:7
    #33 0x7fa6968a4b8c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #34 0x7fa6975f4724 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:130:5
    #35 0x7fa69756aa71 in RunInternal ipc/chromium/src/base/message_loop.cc:230:3
    #36 0x7fa69756aa71 in RunHandler ipc/chromium/src/base/message_loop.cc:223
    #37 0x7fa69756aa71 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:203
    #38 0x7fa69cddebff in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:3
    #39 0x7fa69eee2053 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:801:12
    #40 0x7fa69756aa71 in RunInternal ipc/chromium/src/base/message_loop.cc:230:3
    #41 0x7fa69756aa71 in RunHandler ipc/chromium/src/base/message_loop.cc:223
    #42 0x7fa69756aa71 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:203
    #43 0x7fa69eee15f9 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:637:7
    #44 0x4eaade in content_process_main(int, char**) ipc/contentproc/plugin-container.cpp:237:19
    #45 0x7fa693985ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
0x603000212871 is located 0 bytes to the right of 1-byte region [0x603000212870,0x603000212871)
allocated by thread T0 (Web Content) here:
    #0 0x4b98f8 in __interceptor_malloc _asan_rtl_
    #1 0x7fa6a02e43cf in SkMallocPixelRef gfx/skia/skia/src/core/SkMallocPixelRef.cpp:186:24
    #2 0x7fa6a02e43cf in SkMallocPixelRef::NewUsing(void* (*)(unsigned long), SkImageInfo const&, unsigned long, SkColorTable*) gfx/skia/skia/src/core/SkMallocPixelRef.cpp:87
    #3 0x7fa69fe64379 in SkBitmap::HeapAllocator::allocPixelRef(SkBitmap*, SkColorTable*) gfx/skia/skia/src/core/SkBitmap.cpp:446:22
    #4 0x7fa69fe69f36 in tryAllocPixels gfx/skia/skia/src/core/SkBitmap.cpp:284:12
    #5 0x7fa69fe69f36 in SkBitmap::extractAlpha(SkBitmap*, SkPaint const*, SkBitmap::Allocator*, SkIPoint*) const gfx/skia/skia/src/core/SkBitmap.cpp:1043
    #6 0x7fa69885e5ef in extractAlpha gfx/skia/skia/include/core/SkBitmap.h:662:16
    #7 0x7fa69885e5ef in mozilla::gfx::DrawTargetSkia::DrawSurfaceWithShadow(mozilla::gfx::SourceSurface*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::Color const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, float, mozilla::gfx::CompositionOp) gfx/2d/DrawTargetSkia.cpp:448
    #8 0x7fa69b34d998 in mozilla::dom::AdjustedTargetForShadow::~AdjustedTargetForShadow() dom/canvas/CanvasRenderingContext2D.cpp:487:5
    #9 0x7fa69b2f851e in operator() mfbt/UniquePtr.h:528:5
    #10 0x7fa69b2f851e in reset mfbt/UniquePtr.h:343
    #11 0x7fa69b2f851e in mozilla::dom::AdjustedTarget::~AdjustedTarget() dom/canvas/CanvasRenderingContext2D.cpp:589
    #12 0x7fa69b2feaf7 in mozilla::dom::CanvasRenderingContext2D::Stroke() dom/canvas/CanvasRenderingContext2D.cpp:2823:3
    #13 0x7fa69a4e673b in mozilla::dom::CanvasRenderingContext2DBinding::stroke(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/CanvasRenderingContext2DBinding.cpp:3415:7
    #14 0x7fa69b22849a in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2778:13
    #15 0x7fa6a121a305 in CallJSNative js/src/jscntxtinlines.h:235:15
    #16 0x7fa6a121a305 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:468
    #17 0x7fa6a120302c in CallFromStack js/src/vm/Interpreter.cpp:531:12
    #18 0x7fa6a120302c in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2831
    #19 0x7fa6a11e7586 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:426:12
    #20 0x7fa6a121c4c8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:704:15
    #21 0x7fa6a0ba1d1b in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:327:12
    #22 0x7fa6a0ba28be in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:439:12
    #23 0x7fa6a11f1e13 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2746:14
    #24 0x7fa6a11e7586 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:426:12
    #25 0x7fa6a121a51b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:498:15
    #26 0x7fa6a11cd581 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:544:10
    #27 0x7fa6a0d3ee40 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:2919:12
    #28 0x7fa69ae94ba9 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) objdir-ff-asan/dom/bindings/FunctionBinding.cpp:36:8
    #29 0x7fa6991bb806 in Call<nsCOMPtr<nsISupports> > objdir-ff-asan/dist/include/mozilla/dom/FunctionBinding.h:64:12
    #30 0x7fa6991bb806 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) dom/base/nsGlobalWindow.cpp:11961
    #31 0x7fa699199f7b in nsGlobalWindow::RunTimeout(nsTimeout*) dom/base/nsGlobalWindow.cpp:12210:32
    #32 0x7fa699138281 in nsGlobalWindow::TimerCallback(nsITimer*, void*) dom/base/nsGlobalWindow.cpp:12456:3
    #33 0x7fa696840345 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:524:7
    #34 0x7fa6968181fc in nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:286:3
    #35 0x7fa696824b35 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:994:7
    #36 0x7fa6968a4b8c in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #37 0x7fa6975f4724 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:130:5

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/linux_asan_firefox/custom/firefox/libxul.so+0x3effdc3)
Shadow bytes around the buggy address:
  0x0c068003a4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c068003a500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c068003a510: fa fa fa fa 01 fa fa fa fa fa 00 00 fa fa fa fa
  0x0c068003a520: fd fa fa fa fa fa fd fd fa fa fa fa fd fd fa fa
  0x0c068003a530: fa fa fd fa fa fa fa fa fd fa fa fa fa fa fd fd
  0x0c068003a540: fa fa fa fa fd fa fa fa fa fa fd fd fa fa fa fa
  0x0c068003a550: fd fd fa fa fa fa fd fa fa fa fa fa fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30392==ABORTING
Milan: what's going on around this read? Is it just incorporating data into something the user will be able to access, or is it equally wrong about the size of the buffer it's going to turn around and write this into?
Group: core-security → gfx-core-security
Flags: needinfo?(milan)
Flags: needinfo?(milan)
Lee, can you take a look?
Flags: needinfo?(lsalzman)
This was introduced by bug 1259621. I already fixed this issue in bug 1267271, but that just missed the 48 merge by half a day and ended up going into 49. I requested uplift on it to 48 - so once that goes through this should all be taken care of.
Flags: needinfo?(lsalzman)
See Also: → bug 1259621, bug 1267271
Whiteboard: [gfx-noted]
Keywords: sec-high
status-firefox47: --- → unaffected
status-firefox49: --- → fixed
status-firefox-esr45: --- → unaffected
Flags: sec-bounty?
This was fixed in 48 based on the comments in the other bug. Is this correct?
Flags: needinfo?(lsalzman)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(In reply to Al Billings [:abillings] from comment #4)
> This was fixed in 48 based on the comments in the other bug. Is this correct?

Yes, correct. We uplifted the fix.
Flags: needinfo?(lsalzman)
status-firefox48: affected → fixed
Group: gfx-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Blocks: 1259621
Depends on: 1267271
Keywords: regression
Group: core-security-release
Keywords: csectype-bounds
You need to log in before you can comment on or make changes to this bug.