Closed Bug 1316866 Opened 8 years ago Closed 7 years ago

AddressSanitizer: heap-use-after-free in [@ CanvasRenderingContext2D::DrawImage] with READ size 8

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- fixed
firefox52 --- fixed
firefox-esr52 --- unaffected
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: truber, Assigned: milan)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(2 files)

testcase.html
245 bytes, text/html
Details
log.txt
23.44 KB, text/plain
Details
Attached file testcase.html 
The attached testcase crashes m-c b2b359340a84.

==24127==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000474b70 at pc 0x7fc276e2cffd bp 0x7ffd9373e490 sp 0x7ffd9373e488
READ of size 8 at 0x60d000474b70 thread T0
    #0 0x7fc276e2cffc in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmap const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) dom/canvas/CanvasRenderingContext2D.cpp:4984:5
    #1 0x7fc27619bb84 in DrawImage obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h:218:5
    #2 0x7fc27619bb84 in mozilla::dom::CanvasRenderingContext2DBinding::drawImage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:4289
    #3 0x7fc276d38f90 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2879:13
Attached file log.txt 
Group: core-security → gfx-core-security
Keywords: sec-high

    
  
Severity: normal → critical

    
    

    
  
Would not surprise me if this was somewhat related to bug 1318283.
Flags: needinfo?(milan)

    
    

    
  
Milan, can you poke at this bug again? It seems you had a hunch, about what is causing this.
Assignee: nobody → milan

    
    

    
  
Is this still happening?  It could be related to other "real" bugs in here, but if this was a single day issue only, it is likely the result of bug 1313884 patch that landed on 11/10 and got backed out on 11/11 (comment 0 has us finding this problem on 11/11 so the timing works.)
Flags: needinfo?(milan) → needinfo?(jschwartzentruber)

    
    

    
  
No, I can't reproduce it. Your explanation fits my recollection, I think I had to get the exact build it was found on to reproduce it, a newer one didn't work.
Flags: needinfo?(jschwartzentruber)

    
    

    
  
Calling this fixed by the bug 1313884 backout.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: