Closed Bug 1328760 Opened 9 years ago Closed 9 years ago

AddressSanitizer: heap-buffer-overflow @ nsMultiMixedConv::OnDataAvailable()

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1321612

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(4 keywords)

Attachments

(1 file)

log with asan report
19.41 KB, text/plain
Details
Attached file log with asan report
Bughunter found an asan heap buffer overflow on Beta/51 Ubuntu 64bit on http://swling.com/UTC.htm The other branches also have a variety of other problems: Firefox Beta/51 and Aurora/52 Windows 10 32bit Assertion failure: aNewProgress & (FLAG_SIZE_AVAILABLE | FLAG_HAS_ERROR), at c:/builds/moz2_slave/m-beta-w32-d-00000000000000000/build/src/image/ProgressTracker.cpp:41 Thread 0 (crashed) 0 xul.dll!mozilla::image::CheckProgressConsistency [ProgressTracker.cpp:45f796204c54 : 34 + 0x24] eip = 0x526a5aad esp = 0x010fefa4 ebp = 0x010fefa8 ebx = 0x0f2c9730 esi = 0x00000029 edi = 0x010ff03c eax = 0x55147d18 ecx = 0x73f706ef edx = 0x00f40000 efl = 0x00200202 Found by: given as instruction pointer in context Beta/51, Aurora/52 Windows 10, Windows 7 Assertion failure: aNewProgress & (FLAG_SIZE_AVAILABLE | FLAG_HAS_ERROR), at c:/builds/moz2_slave/m-aurora-w32-d-000000000000000/build/src/image/ProgressTracker.cpp:41 Thread 0 (crashed) 0 xul.dll!mozilla::image::CheckProgressConsistency [ProgressTracker.cpp:45f796204c54 : 34 + 0x24] eip = 0x526a5aad esp = 0x010fefa4 ebp = 0x010fefa8 ebx = 0x0f2c9730 esi = 0x00000029 edi = 0x010ff03c eax = 0x55147d18 ecx = 0x73f706ef edx = 0x00f40000 efl = 0x00200202 Aurora/52 Linux 64bit, Nightly/53 Windows 10 64bit Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Called Complete more than once), at c:/builds/moz2_slave/m-cen-w64-d-000000000000000000/build/src/image/SourceBuffer.cpp:467 Thread 0 (crashed) 0 xul.dll!mozilla::image::SourceBuffer::Complete(nsresult) [SourceBuffer.cpp:31ffcb82ced8 : 467 + 0x2c]
Group: core-security → network-core-security
Component: ImageLib → Networking: HTTP
Keywords: csectype-bounds, regressionwindow-wanted, sec-high
this might be a dup of a different imglib issue that honza triaged.. I can't find the number off hand..
Flags: needinfo?(honzab.moz)
Yeah, this looks like a dupe of bug 1320899. Which is now a tracking bug to cover several issues. The bug for the networking issue is bug 1321612.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
fwiw, this occurs as far back as Firefox 29 20140102030203 and probably Firefox 22 20130401030817
Keywords: regressionwindow-wanted
(In reply to Bob Clary [:bc:] from comment #4) > fwiw, this occurs as far back as Firefox 29 20140102030203 and probably > Firefox 22 20130401030817 Yeah, the code here is super old.
(In reply to Patrick McManus [:mcmanus] from comment #1) > this might be a dup of a different imglib issue that honza triaged.. I can't > find the number off hand.. yep, thanks.
Flags: needinfo?(honzab.moz)
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: