Closed Bug 1341751 Opened 3 years ago Closed 3 years ago

negative-size-param in mozilla::gl::RemoveNamesFromArray

Categories

(Core :: Graphics, defect)

defect
Not set

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox54 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase-wanted)

Attachments

(1 file)

Attached file log.txt
I've seen this a few times while fuzzing canvas. Unfortunately I don't have a good test case.

==16241==ERROR: AddressSanitizer: negative-size-param: (size=-16)
    #0 0x49bc8b in __asan_memmove /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425:3
    #1 0x7f3a6cf9001c in nsTArray_CopyWithMemutils::MoveOverlappingRegion(void*, void*, unsigned long, unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:738:5
    #2 0x7f3a6e8ffeb5 in mozilla::gl::RemoveNamesFromArray(mozilla::gl::GLContext*, int, unsigned int const*, nsTArray<mozilla::gl::GLContext::NamedResource>&) /home/worker/workspace/build/src/gfx/gl/GLContext.cpp:2363:17
    #3 0x7f3a6e91818c in mozilla::gl::BasicTextureImage::~BasicTextureImage() /home/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:119:9
    #4 0x7f3a6e9181cd in mozilla::gl::BasicTextureImage::~BasicTextureImage() /home/worker/workspace/build/src/gfx/gl/GLTextureImage.cpp:108:1
    #5 0x7f3a6e92b865 in mozilla::gl::TextureImage::Release() /home/worker/workspace/build/src/gfx/gl/GLTextureImage.h:36:5
    #6 0x7f3a6ec1cb8f in RefPtr<mozilla::gl::TextureImage>::operator=(decltype(nullptr)) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:166:5
    #7 0x7f3a6ebfc1d3 in mozilla::layers::TextureImageTextureSourceOGL::DeallocateDeviceData() /home/worker/workspace/build/src/gfx/layers/opengl/TextureHostOGL.h:165:15
    #8 0x7f3a6eb50f74 in mozilla::layers::BufferTextureHost::DeallocateDeviceData() /home/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:528:5
    #9 0x7f3a6eb4f133 in mozilla::layers::TextureHost::Finalize() /home/worker/workspace/build/src/gfx/layers/composite/TextureHost.cpp:308:5
    #10 0x7f3a6e9bcb01 in mozilla::AtomicRefCountedWithFinalize<mozilla::layers::TextureHost>::Release() /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/AtomicRefCountedWithFinalize.h:137:9
    #11 0x7f3a6eb203e9 in mozilla::layers::ContentHostTexture::~ContentHostTexture() /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/ContentHost.h:112:7
    #12 0x7f3a6eb20a6d in mozilla::layers::ContentHostSingleBuffered::~ContentHostSingleBuffered() /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/ContentHost.h:217:40
...
see log.txt
(In reply to Milan Sreckovic [:milan] from comment #1)
> 32-bit build, I assume?

ASan debug x64 actually.
Without a testcase we might not make much progress here.
Flags: needinfo?(twsmith)
Keywords: testcase-wanted
(In reply to Tyson Smith [:tsmith] from comment #2)
> (In reply to Milan Sreckovic [:milan] from comment #1)
> > 32-bit build, I assume?
> 
> ASan debug x64 actually.

I was assuming 32-bit based on size parameter being -16 and the struct in the array being 12 + 4 for the alignment (on the 32-bit). Come to think of it, it's probably 16 on the 64-bit as well.
If I get a test case I will attach it. If devs decide no progress can be made I'm fine marking this as incomplete.
Flags: needinfo?(twsmith)
Eric landed a patch that should check this in release builds, so hopefully that defangs this crash. Reopen if you see this again.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.