Closed Bug 1294613 Opened 8 years ago Closed 8 years ago

Global-buffer-overflow WRITE in _moz_pixman_region32_copy

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
Unspecified
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1287316
Tracking Flags:
Tracking Status
firefox49 --- ?
firefox50 --- ?
firefox51 --- affected

People

(Reporter: inferno, Unassigned)

Details

(Keywords: csectype-bounds, regressionwindow-wanted, sec-critical)

Attachments

(1 file)

Testcase
238 bytes, text/html
Details
Attached file Testcase 
==19557==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa71b8c5ed0 at pc 0x0000004becbc bp 0x7ffe64fcca70 sp 0x7ffe64fcc220
WRITE of size 16 at 0x7fa71b8c5ed0 thread T0 (Web Content)
SCARINESS: 55 (multi-byte-write-global-buffer-overflow-far-from-bounds)
    #0 0x4becbb in __asan_memcpy _asan_rtl_
    #1 0x7fa716390d22 in _moz_pixman_region32_copy gfx/cairo/libpixman/src/pixman-region.c:523:25
    #2 0x7fa70f0e3121 in Copy gfx/src/nsRegion.h:414:5
    #3 0x7fa70f0e3121 in operator= gfx/src/nsRegion.h:77
    #4 0x7fa70f0e3121 in operator= gfx/src/nsRegion.h:487
    #5 0x7fa70f0e3121 in operator= gfx/src/nsRegion.h:842
    #6 0x7fa70f0e3121 in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions(mozilla::gfx::FilterDescription const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&) gfx/src/FilterSupport.cpp:1774
    #7 0x7fa711c88005 in mozilla::dom::AdjustedTargetForFilter::AdjustedTargetForFilter(mozilla::dom::CanvasRenderingContext2D*, mozilla::gfx::DrawTarget*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::CompositionOp) dom/canvas/CanvasRenderingContext2D.cpp:354:5
    #8 0x7fa711bebb07 in MakeUnique<mozilla::dom::AdjustedTargetForFilter, mozilla::dom::CanvasRenderingContext2D *&, RefPtr<mozilla::gfx::DrawTarget> &, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> &, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> &, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::CompositionOp &> mfbt/UniquePtr.h:680:27
    #9 0x7fa711bebb07 in mozilla::dom::AdjustedTarget::AdjustedTarget(mozilla::dom::CanvasRenderingContext2D*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) dom/canvas/CanvasRenderingContext2D.cpp:614
    #10 0x7fa711bea5e1 in mozilla::dom::CanvasRenderingContext2D::FillRect(double, double, double, double) dom/canvas/CanvasRenderingContext2D.cpp:2827:3
    #11 0x7fa710d44391 in mozilla::dom::CanvasRenderingContext2DBinding::fillRect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/CanvasRenderingContext2DBinding.cpp:3193:9
    #12 0x7fa711b14e43 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2812:13
    #13 0x7fa717cd8922 in CallJSNative js/src/jscntxtinlines.h:235:15
    #14 0x7fa717cd8922 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:453
    #15 0x7fa717cbdb23 in CallFromStack js/src/vm/Interpreter.cpp:504:12
    #16 0x7fa717cbdb23 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2873
    #17 0x7fa717ca2a66 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:399:12
    #18 0x7fa717cdb3f3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:679:15
    #19 0x7fa717cdba70 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:711:12
    #20 0x7fa7178021fb in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:4437:19
    #21 0x7fa717802d36 in Evaluate js/src/jsapi.cpp:4464:12
    #22 0x7fa717802d36 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:4525
    #23 0x7fa70fe093a5 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) dom/base/nsJSUtils.cpp:206:12
    #24 0x7fa70fe0a157 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) dom/base/nsJSUtils.cpp:266:10
    #25 0x7fa70fe961d5 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) dom/base/nsScriptLoader.cpp:2037:12
    #26 0x7fa70fe92b7b in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) dom/base/nsScriptLoader.cpp:1836:10
    #27 0x7fa70fe7b7ce in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) dom/base/nsScriptLoader.cpp:1574:10
    #28 0x7fa70fe778fa in nsScriptElement::MaybeProcessScript() dom/base/nsScriptElement.cpp:141:18
    #29 0x7fa70ef66e15 in AttemptToExecute dom/base/nsIScriptElement.h:222:18
    #30 0x7fa70ef66e15 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) parser/html/nsHtml5TreeOpExecutor.cpp:664
    #31 0x7fa70ef6548d in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:488:7
    #32 0x7fa70ef6a29b in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:128:20
    #33 0x7fa70ce309c2 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1058:14
    #34 0x7fa70ceb0fb8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10
    #35 0x7fa70dbedf11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21
    #36 0x7fa70db610b0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #37 0x7fa70db610b0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #38 0x7fa70db610b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #39 0x7fa7139041cf in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27
    #40 0x7fa715a34527 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:846:22
    #41 0x7fa70db610b0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10
    #42 0x7fa70db610b0 in RunHandler ipc/chromium/src/base/message_loop.cc:225
    #43 0x7fa70db610b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205
    #44 0x7fa715a33be8 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:676:34
    #45 0x511a53 in content_process_main ipc/contentproc/plugin-container.cpp:197:19
    #46 0x511a53 in main browser/app/nsBrowserApp.cpp:357
    #47 0x7fa726c06f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
0x7fa71b8c5ed0 is located 16 bytes to the left of global variable nsTArrayHeader::sEmptyHdr defined in xpcom/glue/nsTArray.cpp:13:32 (0x7fa71b8c5ee0) of size 8
0x7fa71b8c5ed0 is located 40 bytes to the right of global variable sStderrCallback defined in xpcom/glue/nsCRTGlue.cpp:316:23 (0x7fa71b8c5ea0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/linux_asan_firefox/custom/firefox/firefox-bin+0x4becbb)
Shadow bytes around the buggy address:
  0x0ff563710b80: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ff563710b90: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ff563710ba0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ff563710bb0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ff563710bc0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x0ff563710bd0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9[f9]f9 00 f9 f9 f9
  0x0ff563710be0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff563710bf0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
  0x0ff563710c00: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0ff563710c10: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0ff563710c20: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19557==ABORTING
Group: core-security → gfx-core-security
Component: DOM → Canvas: 2D
Keywords: csectype-bounds, sec-critical
Milan, can you help find an owner for this sec-critical issue? Thanks!
We would want to know which branches this affects as well.
status-firefox49: --- → ?
status-firefox50: --- → ?
Flags: needinfo?(milan)
Keywords: regressionwindow-wanted
I believe this is a duplicate of bug 1287316.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(milan)
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: