1313212 - Layers: heap-buffer-overflow crash [@ __interceptor_strlen] with READ of size 3841

Status: RESOLVED FIXED

(Core :: Graphics: Layers, defect)

Description

[Christoph Diehl [:posidron]]

The following testcase crashes on en-us.linux-x86_64-asan.tar.bz2 revision e0f4b01bb284c15605f7931d0e7286af3d98b732

See attachment.

Backtrace:

==3425==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62000010ef80 at pc 0x00000049f4d1 bp 0x7fd9fd82abc0 sp 0x7fd9fd82a380
READ of size 3841 at 0x62000010ef80 thread T26 (Compositor)
    #0 0x49f4d0 in __interceptor_strlen /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581:5
    #1 0x7fda1741c3e2 in length /home/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.8.5/../../../../include/c++/4.8.5/bits/char_traits.h:259:16
    #2 0x7fda1741c3e2 in operator<<<std::char_traits<char> > /home/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.8.5/../../../../include/c++/4.8.5/ostream:536
    #3 0x7fda1741c3e2 in operator<<<std::char_traits<char> > /home/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.8.5/../../../../include/c++/4.8.5/ostream:549
    #4 0x7fda1741c3e2 in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>& mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::operator<< <unsigned char*>(mozilla::gfx::Hexa<unsigned char*>) /home/worker/workspace/build/src/gfx/2d/Logging.h:386
    #5 0x7fda1741be3b in mozilla::gfx::Factory::CreateDrawTargetForData(mozilla::gfx::BackendType, unsigned char*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::SurfaceFormat, bool) /home/worker/workspace/build/src/gfx/2d/Factory.cpp:412:115
    #6 0x7fda17a24bd1 in gfxPlatform::CreateDrawTargetForData(unsigned char*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::SurfaceFormat) /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1478:27
    #7 0x7fda1bb323e0 in mozilla::widget::WindowSurfaceX11Image::Lock(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) /home/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:58:10
    #8 0x7fda1bb308b3 in mozilla::widget::WindowSurfaceProvider::StartRemoteDrawingInRegion(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel>&, mozilla::layers::BufferMode*) /home/worker/workspace/build/src/widget/gtk/WindowSurfaceProvider.cpp:96:14
    #9 0x7fda1bb33081 in mozilla::widget::X11CompositorWidget::StartRemoteDrawingInRegion(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel>&, mozilla::layers::BufferMode*) /home/worker/workspace/build/src/widget/gtk/X11CompositorWidget.cpp:73:10
    #10 0x7fda177c257e in mozilla::layers::BasicCompositor::BeginFrame(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>*) /home/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:814:19
    #11 0x7fda178927a6 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:946:5
    #12 0x7fda17890602 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /home/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:483:3
    #13 0x7fda1788fc52 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:404:5
    #14 0x7fda178e6745 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1366:3
    #15 0x7fda178e51c8 in ComposeToTarget /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:691:3
    #16 0x7fda178e51c8 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:592
    #17 0x7fda1792aefe in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByValue<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:729:12
    #18 0x7fda1792aefe in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:735
    #19 0x7fda1792aefe in mozilla::detail::RunnableMethodImpl<void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, true, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:764
    #20 0x7fda1617a977 in RunTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:346:3
    #21 0x7fda1617a977 in DeferOrRunPendingTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:354
    #22 0x7fda1617a977 in MessageLoop::DoWork() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:429
    #23 0x7fda1617c9e8 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:21
    #24 0x7fda16177f48 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #25 0x7fda16177f48 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #26 0x7fda16177f48 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #27 0x7fda16197971 in base::Thread::ThreadMain() /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:180:3
    #28 0x7fda161984cc in ThreadFunc(void*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:3
    #29 0x7fda2fc47181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

0x62000010ef80 is located 0 bytes to the right of 3840-byte region [0x62000010e080,0x62000010ef80)
allocated by thread T26 (Compositor) here:
    #0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7fda1bb321cc in mozilla::widget::WindowSurfaceX11Image::Lock(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) /home/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:45:37
    #2 0x7fda1bb308b3 in mozilla::widget::WindowSurfaceProvider::StartRemoteDrawingInRegion(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel>&, mozilla::layers::BufferMode*) /home/worker/workspace/build/src/widget/gtk/WindowSurfaceProvider.cpp:96:14
    #3 0x7fda1bb33081 in mozilla::widget::X11CompositorWidget::StartRemoteDrawingInRegion(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel>&, mozilla::layers::BufferMode*) /home/worker/workspace/build/src/widget/gtk/X11CompositorWidget.cpp:73:10
    #4 0x7fda177c257e in mozilla::layers::BasicCompositor::BeginFrame(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>*) /home/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:814:19
    #5 0x7fda178927a6 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:946:5
    #6 0x7fda17890602 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /home/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:483:3
    #7 0x7fda1788fc52 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:404:5
    #8 0x7fda178e6745 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1366:3
    #9 0x7fda178e51c8 in ComposeToTarget /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:691:3
    #10 0x7fda178e51c8 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:592
    #11 0x7fda1792aefe in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByValue<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:729:12
    #12 0x7fda1792aefe in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:735
    #13 0x7fda1792aefe in mozilla::detail::RunnableMethodImpl<void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, true, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:764
    #14 0x7fda1617a977 in RunTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:346:3
    #15 0x7fda1617a977 in DeferOrRunPendingTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:354
    #16 0x7fda1617a977 in MessageLoop::DoWork() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:429
    #17 0x7fda1617c9e8 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:21
    #18 0x7fda16177f48 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #19 0x7fda16177f48 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #20 0x7fda16177f48 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #21 0x7fda16197971 in base::Thread::ThreadMain() /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:180:3
    #22 0x7fda161984cc in ThreadFunc(void*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:3
    #23 0x7fda2fc47181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T26 (Compositor) created by T0 here:
    #0 0x49a839 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7fda1619758b in CreateThread /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7fda1619758b in Create /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7fda1619758b in base::Thread::StartWithOptions(base::Thread::Options const&) /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:98
    #4 0x7fda178fd668 in CreateCompositorThread /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:105:8
    #5 0x7fda178fd668 in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:53
    #6 0x7fda178fd7ba in mozilla::layers::CompositorThreadHolder::Start() /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:121:33
    #7 0x7fda17a1c467 in InitLayersIPC /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:921:9
    #8 0x7fda17a1c467 in gfxPlatform::Init() /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:703
    #9 0x7fda17a1a002 in gfxPlatform::GetPlatform() /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:542:9
    #10 0x7fda1ba757a7 in mozilla::widget::GfxInfoBase::GetContentBackend(nsAString_internal&) /home/worker/workspace/build/src/widget/GfxInfoBase.cpp:1406:25
    #11 0x7fda15447216 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23
    #12 0x7fda16dd9a4e in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2064:12
    #13 0x7fda16dd9a4e in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1383
    #14 0x7fda16dd9a4e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1350
    #15 0x7fda16de1b8f in GetAttribute /home/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1877:17
    #16 0x7fda16de1b8f in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1179
    #17 0x7fda201164c5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #18 0x7fda201164c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:446
    #19 0x7fda20117cfe in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:503:12
    #20 0x7fda20117cfe in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522
    #21 0x7fda20117cfe in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636
    #22 0x7fda20172191 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1780:16
    #23 0x7fda20172191 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1828
    #24 0x7fda20172191 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2055
    #25 0x7fda20172191 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2089
    #26 0x7fda20100f2a in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1515:12
    #27 0x7fda20100f2a in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:854
    #28 0x7fda20100f2a in GetObjectElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:458
    #29 0x7fda20100f2a in GetElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:563
    #30 0x7fda20100f2a in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2760
    #31 0x7fda200e1533 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:404:12
    #32 0x7fda20116b2f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:476:15
    #33 0x7fda200c2d42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
    #34 0x7fda1ff3c5ec in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #35 0x7fda1fe73e9f in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
    #36 0x7fda1ff1a3af in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
    #37 0x7fda1ff1ca5e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
    #38 0x7fda201164c5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #39 0x7fda201164c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:446
    #40 0x7fda200fc6e8 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:509:12
    #41 0x7fda200fc6e8 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #42 0x7fda200e1533 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:404:12
    #43 0x7fda20116b2f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:476:15
    #44 0x7fda200c2d42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
    #45 0x7fda1fbf4672 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2768:12
    #46 0x7fda16dbe647 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1211:23
    #47 0x7fda15448a96 in PrepareAndDispatch /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:122:14
    #48 0x7fda15447a66 in SharedStub (/home/ubuntu/firefox/libxul.so+0x1f4ca66)
    #49 0x7fda153e5ad5 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /home/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:824:9
    #50 0x7fda1dc38066 in nsXREDirProvider::DoStartup() /home/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1171:11
    #51 0x7fda1dc15691 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4288:3
    #52 0x7fda1dc17762 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4583:8
    #53 0x7fda1dc1861c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4674:16
    #54 0x4df89a in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
    #55 0x4df89a in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
    #56 0x7fda2ec6fec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581:5 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c4080019da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4080019db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4080019dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4080019dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4080019de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4080019df0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4080019e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4080019e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4080019e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4080019e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4080019e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Comment 1

[Christoph Diehl [:posidron]]

Attachment: Testcase

Comment 2

[Daniel Veditz [:dveditz]]

Christoph: how do you use this testcase? seems to be a bunch of text files.

Comment 3

[Andrew McCreight [:mccr8]]

This looks like we're trying to write a char* to a crash dump that is not null-terminated. It also seems a little questionable that we're writing texture data to a crash dump, if that's what is really happening here...

Comment 4

[Milan Sreckovic [:milan] (needinfo for best results)]

Right, this is a problem with the implementation of logging

Comment 5

[Christoph Diehl [:posidron]]

(In reply to Daniel Veditz [:dveditz] from comment #2)
> Christoph: how do you use this testcase? seems to be a bunch of text files.

data_1_output_Output.txt -> data_1_output_Output.ico 

This seems not to be a problem with ICO per se. It started to happen at the 25th and is now a top crasher.

Comment 6

[Milan Sreckovic [:milan] (needinfo for best results)]

This crash is a red herring, and it's masking another problem.  We're just crashing trying to report some debugging information; I'm not sure why it would have started recently.  I'll have a quick patch shortly.

Comment 7

[Milan Sreckovic [:milan] (needinfo for best results)]

Attachment: Show the pointer value, not the string. r=bas

Comment 8

[Milan Sreckovic [:milan] (needinfo for best results)]

This has been around since 43 (see bug 1200021 comment 16.)  I'd go for the uplift all the way once this is reviewed and approved.

Comment 9

[Mason Chang [Inactive] [:mchang]]

Comment on attachment 8805274 [details] [diff] [review]
Show the pointer value, not the string. r=bas

nit: change the commit message to be r=mchang instead of bas

Comment 10

[Milan Sreckovic [:milan] (needinfo for best results)]

Attachment: Show the pointer value, not the string. Carry r=mchang

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

The hard part would be causing the failure, that causes this message to be printed, that then, with the correct image data overwrites the right part of the memory.  So, not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Not at all.

Which older supported branches are affected by this flaw?

All.  This was introduced in 43 (see bug 1200021 comment 16)

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

It will either apply, or be a trivial rebase.

How likely is this patch to cause regressions; how much testing does it need?
Very unlikely.

This is "only" sec-high, so I don't think we necessarily need the release+esr update, but it could ride along if we had other reasons.

Comment 11

[Al Billings [:abillings - ex-MoCo]]

This is waaaaay too late for 50, which is on its final beta already.

This needs to go in two weeks after we ship, which is now Nov 15, making this a "sec-approval+ for checkin on 11/29" patch.

Once it is on trunk, we'll want to backport it to Aurora, Beta, and ESR45.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Getting this back on the radar for 50.1 as well.

https://hg.mozilla.org/integration/mozilla-inbound/rev/e10cae7946b2581b3737771d456f4474734c63f7

Comment 13

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8805584 [details] [diff] [review]
Show the pointer value, not the string. Carry r=mchang

As simple as this patch is, I think we should consider it for the ESR 45.6 and Fx 50.1 releases as well still.

Comment 14

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/e10cae7946b2

Comment 15

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8805584 [details] [diff] [review]
Show the pointer value, not the string. Carry r=mchang

Sec-high, approved for all branches

Comment 16

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/f97d858f6835
https://hg.mozilla.org/releases/mozilla-beta/rev/a7f3b3893434
https://hg.mozilla.org/releases/mozilla-release/rev/eee40261b496

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr45/rev/032a22f5fbaa

Comment 18

[Marcia Knous [:marcia]]

Tracking 53+ for this sec high issue.