Closed
Bug 1294613
Opened 8 years ago
Closed 8 years ago
Global-buffer-overflow WRITE in _moz_pixman_region32_copy
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1287316
People
(Reporter: inferno, Unassigned)
Details
(Keywords: csectype-bounds, regressionwindow-wanted, sec-critical)
Attachments
(1 file)
238 bytes,
text/html
|
Details |
==19557==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa71b8c5ed0 at pc 0x0000004becbc bp 0x7ffe64fcca70 sp 0x7ffe64fcc220 WRITE of size 16 at 0x7fa71b8c5ed0 thread T0 (Web Content) SCARINESS: 55 (multi-byte-write-global-buffer-overflow-far-from-bounds) #0 0x4becbb in __asan_memcpy _asan_rtl_ #1 0x7fa716390d22 in _moz_pixman_region32_copy gfx/cairo/libpixman/src/pixman-region.c:523:25 #2 0x7fa70f0e3121 in Copy gfx/src/nsRegion.h:414:5 #3 0x7fa70f0e3121 in operator= gfx/src/nsRegion.h:77 #4 0x7fa70f0e3121 in operator= gfx/src/nsRegion.h:487 #5 0x7fa70f0e3121 in operator= gfx/src/nsRegion.h:842 #6 0x7fa70f0e3121 in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions(mozilla::gfx::FilterDescription const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>&) gfx/src/FilterSupport.cpp:1774 #7 0x7fa711c88005 in mozilla::dom::AdjustedTargetForFilter::AdjustedTargetForFilter(mozilla::dom::CanvasRenderingContext2D*, mozilla::gfx::DrawTarget*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::CompositionOp) dom/canvas/CanvasRenderingContext2D.cpp:354:5 #8 0x7fa711bebb07 in MakeUnique<mozilla::dom::AdjustedTargetForFilter, mozilla::dom::CanvasRenderingContext2D *&, RefPtr<mozilla::gfx::DrawTarget> &, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> &, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> &, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::CompositionOp &> mfbt/UniquePtr.h:680:27 #9 0x7fa711bebb07 in mozilla::dom::AdjustedTarget::AdjustedTarget(mozilla::dom::CanvasRenderingContext2D*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) dom/canvas/CanvasRenderingContext2D.cpp:614 #10 0x7fa711bea5e1 in mozilla::dom::CanvasRenderingContext2D::FillRect(double, double, double, double) dom/canvas/CanvasRenderingContext2D.cpp:2827:3 #11 0x7fa710d44391 in mozilla::dom::CanvasRenderingContext2DBinding::fillRect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/CanvasRenderingContext2DBinding.cpp:3193:9 #12 0x7fa711b14e43 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2812:13 #13 0x7fa717cd8922 in CallJSNative js/src/jscntxtinlines.h:235:15 #14 0x7fa717cd8922 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:453 #15 0x7fa717cbdb23 in CallFromStack js/src/vm/Interpreter.cpp:504:12 #16 0x7fa717cbdb23 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2873 #17 0x7fa717ca2a66 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:399:12 #18 0x7fa717cdb3f3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:679:15 #19 0x7fa717cdba70 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:711:12 #20 0x7fa7178021fb in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:4437:19 #21 0x7fa717802d36 in Evaluate js/src/jsapi.cpp:4464:12 #22 0x7fa717802d36 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:4525 #23 0x7fa70fe093a5 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) dom/base/nsJSUtils.cpp:206:12 #24 0x7fa70fe0a157 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) dom/base/nsJSUtils.cpp:266:10 #25 0x7fa70fe961d5 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) dom/base/nsScriptLoader.cpp:2037:12 #26 0x7fa70fe92b7b in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) dom/base/nsScriptLoader.cpp:1836:10 #27 0x7fa70fe7b7ce in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) dom/base/nsScriptLoader.cpp:1574:10 #28 0x7fa70fe778fa in nsScriptElement::MaybeProcessScript() dom/base/nsScriptElement.cpp:141:18 #29 0x7fa70ef66e15 in AttemptToExecute dom/base/nsIScriptElement.h:222:18 #30 0x7fa70ef66e15 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) parser/html/nsHtml5TreeOpExecutor.cpp:664 #31 0x7fa70ef6548d in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:488:7 #32 0x7fa70ef6a29b in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:128:20 #33 0x7fa70ce309c2 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1058:14 #34 0x7fa70ceb0fb8 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:290:10 #35 0x7fa70dbedf11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96:21 #36 0x7fa70db610b0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10 #37 0x7fa70db610b0 in RunHandler ipc/chromium/src/base/message_loop.cc:225 #38 0x7fa70db610b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205 #39 0x7fa7139041cf in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156:27 #40 0x7fa715a34527 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:846:22 #41 0x7fa70db610b0 in RunInternal ipc/chromium/src/base/message_loop.cc:232:10 #42 0x7fa70db610b0 in RunHandler ipc/chromium/src/base/message_loop.cc:225 #43 0x7fa70db610b0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205 #44 0x7fa715a33be8 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:676:34 #45 0x511a53 in content_process_main ipc/contentproc/plugin-container.cpp:197:19 #46 0x511a53 in main browser/app/nsBrowserApp.cpp:357 #47 0x7fa726c06f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 0x7fa71b8c5ed0 is located 16 bytes to the left of global variable nsTArrayHeader::sEmptyHdr defined in xpcom/glue/nsTArray.cpp:13:32 (0x7fa71b8c5ee0) of size 8 0x7fa71b8c5ed0 is located 40 bytes to the right of global variable sStderrCallback defined in xpcom/glue/nsCRTGlue.cpp:316:23 (0x7fa71b8c5ea0) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/linux_asan_firefox/custom/firefox/firefox-bin+0x4becbb) Shadow bytes around the buggy address: 0x0ff563710b80: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ff563710b90: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ff563710ba0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ff563710bb0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0ff563710bc0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 =>0x0ff563710bd0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9[f9]f9 00 f9 f9 f9 0x0ff563710be0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0ff563710bf0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9 0x0ff563710c00: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 0x0ff563710c10: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 0x0ff563710c20: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==19557==ABORTING
Updated•8 years ago
|
Group: core-security → gfx-core-security
Component: DOM → Canvas: 2D
Keywords: csectype-bounds,
sec-critical
Comment 1•8 years ago
|
||
Milan, can you help find an owner for this sec-critical issue? Thanks! We would want to know which branches this affects as well.
status-firefox49:
--- → ?
status-firefox50:
--- → ?
Flags: needinfo?(milan)
Keywords: regressionwindow-wanted
I believe this is a duplicate of bug 1287316.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(milan)
Resolution: --- → DUPLICATE
Updated•5 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•