Closed
Bug 1377005
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkOpts_hsw.cpp:57:54 in hsw::convolve_vertically(short const*, int, unsigned char* const*, int, unsigned char*, bool)
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1375842
People
(Reporter: radu.stanca, Unassigned)
References
Details
(Keywords: csectype-bounds, sec-moderate, Whiteboard: Possible dupe of bug 1375842 [gfx-noted])
Attachments
(1 file)
24.09 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 Steps to reproduce: Firefox crashes when trying to open Firefox Screenshots Steps to reproduce, I'm using Debian Stable with Gnome 1. Download the ASAN build from here https://tools.taskcluster.net/task-inspector/#OpgK-c39TMOuk0GZKUki9g/ 2. Open any page, I went to https://bugzilla.mozilla.org 3. Click on Firefox Screenshots button in the toolbar and the browser will crash Actual results: The browser crashed Expected results: The browser should have not crashed.
Comment 1•7 years ago
|
||
Top of crash stack: ==4181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000128b7f at pc 0x7f65bb3521b9 bp 0x7f659eaf1370 sp 0x7f659eaf1368 READ of size 32 at 0x612000128b7f thread T23 (ImgDecoder #1) #0 0x7f65bb3521b8 in hsw::convolve_vertically(short const*, int, unsigned char* const*, int, unsigned char*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkOpts_hsw.cpp:57:54 #1 0x7f65b4ca13cd in operator() /home/worker/workspace/build/src/image/DownscalingFilter.h:283:16 #2 0x7f65b4ca13cd in WriteUnsafeComputedRow<unsigned int, (lambda at /home/worker/workspace/build/src/image/DownscalingFilter.h:281:53)> /home/worker/workspace/build/src/image/SurfacePipe.h:386 #3 0x7f65b4ca13cd in mozilla::image::DownscalingFilter<mozilla::image::SurfaceSink>::DownscaleInputRow() /home/worker/workspace/build/src/image/DownscalingFilter.h:281 #4 0x7f65b4ca0e87 in mozilla::image::DownscalingFilter<mozilla::image::SurfaceSink>::DoAdvanceRow() /home/worker/workspace/build/src/image/DownscalingFilter.h:245:7 #5 0x7f65b4c9a4a8 in AdvanceRow /home/worker/workspace/build/src/image/SurfacePipe.h:131:19 #6 0x7f65b4c9a4a8 in DoWritePixelsToRow<unsigned int, (lambda at /home/worker/workspace/build/src/image/decoders/nsPNGDecoder.cpp:913:49)> /home/worker/workspace/build/src/image/SurfacePipe.h:499 Milan, can you look/redirect as necessary?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(milan)
Product: Firefox → Core
Comment 2•7 years ago
|
||
Possible dupe of bug 1375842.
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2) > Possible dupe of bug 1375842. Let's run with this assumption for now.
Flags: needinfo?(milan)
See Also: → 1375842
Updated•7 years ago
|
Comment 4•7 years ago
|
||
The probable-dupe bug 1375842 is rated sec-high because we have a testcase that triggers it from web content. If this is not a duplicate then it would get a provisional sec-moderate rating because the user-action required makes it less likely to be useful in a wide-spread attack.
Keywords: csectype-bounds,
sec-moderate
Updated•7 years ago
|
Whiteboard: Possible dupe of bug 1375842 → Possible dupe of bug 1375842 [gfx-noted]
Comment 5•7 years ago
|
||
This is fixed by the patch in bug 1375842.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•