1328323 - (CVE-2017-5412) Heap-buffer-overflow read in ColorComponentAtPoint

Status: RESOLVED FIXED

(Core :: Graphics: Color Management, defect)

Description

[Atte Kettunen]

Attachment: SVG image testcase (CRASHES affected versions)

Tested on:

OS: Ubuntu 16.04 

Firefox: ASAN build of moz_source_stamp: 2bd53e4e662bcdd32c53cb4e09ceff088e8f6369

Minimized repro-file as an attachment.

ASAN-trace:

=================================================================
==18497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2f4ae127ff at pc 0x7f2f82468ba2 bp 0x7ffcbafc13d0 sp 0x7ffcbafc13c8
READ of size 1 at 0x7f2f4ae127ff thread T0
    #0 0x7f2f82468ba1 in ColorComponentAtPoint /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2279:10
    #1 0x7f2f82468ba1 in GenerateNormal<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3439
    #2 0x7f2f82468ba1 in DoRender<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3537
    #3 0x7f2f82468ba1 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::DistantLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3464
    #4 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #5 0x7f2f823fc34e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:714:17
    #6 0x7f2f8242b2a4 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3126:10
    #7 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #8 0x7f2f823bd6db in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:566:14
    #9 0x7f2f824c9f41 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:3
    #10 0x7f2f876843ce in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:510:3
    #11 0x7f2f876837e0 in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:79:10
.
.
.
0x7f2f4ae127ff is located 1 bytes to the left of 260175-byte region [0x7f2f4ae12800,0x7f2f4ae5204f)
allocated by thread T0 here:
    #0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7f2f824a71c3 in Realloc /home/worker/workspace/build/src/gfx/2d/Tools.h:181:41
    #2 0x7f2f824a71c3 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /home/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:66
    #3 0x7f2f823875a8 in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /home/worker/workspace/build/src/gfx/2d/Factory.cpp:818:7
    #4 0x7f2f8240ef08 in mozilla::gfx::FilterProcessing::ExtractAlpha(mozilla::gfx::DataSourceSurface*) /home/worker/workspace/build/src/gfx/2d/FilterProcessing.cpp:16:37
    #5 0x7f2f82466882 in DoRender<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3503:13
    #6 0x7f2f82466882 in mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::(anonymous namespace)::DistantLightSoftware, mozilla::gfx::(anonymous namespace)::DiffuseLightingSoftware>::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3464
    #7 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #8 0x7f2f823fc34e in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:714:17
    #9 0x7f2f8242b2a4 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3126:10
    #10 0x7f2f823f2f6a in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:613:21
    #11 0x7f2f823bd6db in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:566:14
.
.
.

Comment 1

[Daniel Veditz [:dveditz]]

Jeff: what's being read here? I'm assuming something like reading random data and turning into part of the filter and could then be figured out if the image was rendered into a canvas. Is it a big chunk of data read one by one, or is it just an off-by one? The amount of data that could be read in affects the severity.

Comment 2

[Milan Sreckovic [:milan] (needinfo for best results)]

A lot of bytes accessed one by one, in the neighbourhood of the heap allocated memory we should be accessing.
This asserts in the debug non-asan build, when acceleration is off.

Comment 3

[George Wright (:gw280) (needinfo me!)]

Looks like this was fixed by bug 1329849; at least, I can't reproduce with current mozilla-central, but if I back out those patches I hit the assert milan described in comment 2.

Also tried ASAN builds and couldn't get it to crash.