Closed
Bug 1316866
Opened 8 years ago
Closed 7 years ago
AddressSanitizer: heap-use-after-free in [@ CanvasRenderingContext2D::DrawImage] with READ size 8
Categories
(Core :: Graphics: Canvas2D, defect)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox51 | --- | fixed |
firefox52 | --- | fixed |
firefox-esr52 | --- | unaffected |
firefox53 | --- | fixed |
firefox54 | --- | fixed |
People
(Reporter: truber, Assigned: milan)
References
(Blocks 1 open bug)
Details
(5 keywords)
Attachments
(2 files)
The attached testcase crashes m-c b2b359340a84. ==24127==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000474b70 at pc 0x7fc276e2cffd bp 0x7ffd9373e490 sp 0x7ffd9373e488 READ of size 8 at 0x60d000474b70 thread T0 #0 0x7fc276e2cffc in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmap const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) dom/canvas/CanvasRenderingContext2D.cpp:4984:5 #1 0x7fc27619bb84 in DrawImage obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h:218:5 #2 0x7fc27619bb84 in mozilla::dom::CanvasRenderingContext2DBinding::drawImage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:4289 #3 0x7fc276d38f90 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2879:13
Reporter | ||
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Group: core-security → gfx-core-security
Reporter | ||
Updated•8 years ago
|
Severity: normal → critical
Assignee | ||
Comment 2•8 years ago
|
||
Would not surprise me if this was somewhat related to bug 1318283.
Flags: needinfo?(milan)
Comment 3•7 years ago
|
||
Milan, can you poke at this bug again? It seems you had a hunch, about what is causing this.
Assignee: nobody → milan
Assignee | ||
Comment 4•7 years ago
|
||
Is this still happening? It could be related to other "real" bugs in here, but if this was a single day issue only, it is likely the result of bug 1313884 patch that landed on 11/10 and got backed out on 11/11 (comment 0 has us finding this problem on 11/11 so the timing works.)
Flags: needinfo?(milan) → needinfo?(jschwartzentruber)
Reporter | ||
Comment 5•7 years ago
|
||
No, I can't reproduce it. Your explanation fits my recollection, I think I had to get the exact build it was found on to reproduce it, a newer one didn't work.
Flags: needinfo?(jschwartzentruber)
Assignee | ||
Comment 6•7 years ago
|
||
Calling this fixed by the bug 1313884 backout.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Group: gfx-core-security → core-security-release
Updated•7 years ago
|
Updated•7 years ago
|
Blocks: 1313884
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Keywords: regression
Updated•7 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•