Closed Bug 1328323 (CVE-2017-5412) Opened 3 years ago Closed 3 years ago

Heap-buffer-overflow read in ColorComponentAtPoint

Categories

(Core :: GFX: Color Management, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox-esr45 --- wontfix
firefox51 --- wontfix
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: attekett, Assigned: gw280)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main52+] probably fixed by 1329849)

Attachments

(1 file)

Tested on:

OS: Ubuntu 16.04 

Firefox: ASAN build of moz_source_stamp: 2bd53e4e662bcdd32c53cb4e09ceff088e8f6369

Minimized repro-file as an attachment.

ASAN-trace:

=================================================================
==18497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2f4ae127ff at pc 0x7f2f82468ba2 bp 0x7ffcbafc13d0 sp 0x7ffcbafc13c8
READ of size 1 at 0x7f2f4ae127ff thread T0
    #0 0x7f2f82468ba1 in ColorComponentAtPoint /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2279:10
    #1 0x7f2f82468ba1 in GenerateNormal<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3439
    #2 0x7f2f82468ba1 in DoRender<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3537
    #3 0x7f2f82468ba1 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::DistantLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3464
    #4 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #5 0x7f2f823fc34e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:714:17
    #6 0x7f2f8242b2a4 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3126:10
    #7 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #8 0x7f2f823bd6db in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:566:14
    #9 0x7f2f824c9f41 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:3
    #10 0x7f2f876843ce in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:510:3
    #11 0x7f2f876837e0 in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:79:10
.
.
.
0x7f2f4ae127ff is located 1 bytes to the left of 260175-byte region [0x7f2f4ae12800,0x7f2f4ae5204f)
allocated by thread T0 here:
    #0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7f2f824a71c3 in Realloc /home/worker/workspace/build/src/gfx/2d/Tools.h:181:41
    #2 0x7f2f824a71c3 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /home/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:66
    #3 0x7f2f823875a8 in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /home/worker/workspace/build/src/gfx/2d/Factory.cpp:818:7
    #4 0x7f2f8240ef08 in mozilla::gfx::FilterProcessing::ExtractAlpha(mozilla::gfx::DataSourceSurface*) /home/worker/workspace/build/src/gfx/2d/FilterProcessing.cpp:16:37
    #5 0x7f2f82466882 in DoRender<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3503:13
    #6 0x7f2f82466882 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::DistantLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3464
    #7 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #8 0x7f2f823fc34e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:714:17
    #9 0x7f2f8242b2a4 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3126:10
    #10 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #11 0x7f2f823bd6db in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:566:14
.
.
.
Attachment #8823357 - Attachment description: firefox-heap-buffer-overflow-ColorComponentAtPoint-min.svg → SVG image testcase (CRASHES affected versions)
Jeff: what's being read here? I'm assuming something like reading random data and turning into part of the filter and could then be figured out if the image was rendered into a canvas. Is it a big chunk of data read one by one, or is it just an off-by one? The amount of data that could be read in affects the severity.
Group: core-security → gfx-core-security
Keywords: crash, testcase
A lot of bytes accessed one by one, in the neighbourhood of the heap allocated memory we should be accessing.
This asserts in the debug non-asan build, when acceleration is off.
Assignee: nobody → gwright
Flags: sec-bounty?
Keywords: sec-moderate
Flags: needinfo?(gwright)
Looks like this was fixed by bug 1329849; at least, I can't reproduce with current mozilla-central, but if I back out those patches I hit the assert milan described in comment 2.

Also tried ASAN builds and couldn't get it to crash.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(gwright)
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Target Milestone: --- → mozilla53
Flags: sec-bounty? → sec-bounty+
Whiteboard: probably fixed by 1329849
Flags: qe-verify-
Whiteboard: probably fixed by 1329849 → [post-critsmash-triage] probably fixed by 1329849
Whiteboard: [post-critsmash-triage] probably fixed by 1329849 → [post-critsmash-triage][adv-main52+] probably fixed by 1329849
Alias: CVE-2017-5412
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.