Closed Bug 1377005 Opened 7 years ago Closed 7 years ago

AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkOpts_hsw.cpp:57:54 in hsw::convolve_vertically(short const*, int, unsigned char* const*, int, unsigned char*, bool)

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
56 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1375842

People

(Reporter: radu.stanca, Unassigned)

References

Details

(Keywords: csectype-bounds, sec-moderate, Whiteboard: Possible dupe of bug 1375842 [gfx-noted])

Attachments

(1 file)

stacktrace.txt
24.09 KB, text/plain
Details
Attached file stacktrace.txt 
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36

Steps to reproduce:

Firefox crashes when trying to open Firefox Screenshots

Steps to reproduce, I'm using Debian Stable with Gnome

1. Download the ASAN build from here

https://tools.taskcluster.net/task-inspector/#OpgK-c39TMOuk0GZKUki9g/

2. Open any page, I went to https://bugzilla.mozilla.org

3. Click on Firefox Screenshots button in the toolbar and the browser will crash




Actual results:

The browser crashed


Expected results:

The browser should have not crashed.
Top of crash stack:

==4181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000128b7f at pc 0x7f65bb3521b9 bp 0x7f659eaf1370 sp 0x7f659eaf1368
READ of size 32 at 0x612000128b7f thread T23 (ImgDecoder #1)
    #0 0x7f65bb3521b8 in hsw::convolve_vertically(short const*, int, unsigned char* const*, int, unsigned char*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkOpts_hsw.cpp:57:54
    #1 0x7f65b4ca13cd in operator() /home/worker/workspace/build/src/image/DownscalingFilter.h:283:16
    #2 0x7f65b4ca13cd in WriteUnsafeComputedRow<unsigned int, (lambda at /home/worker/workspace/build/src/image/DownscalingFilter.h:281:53)> /home/worker/workspace/build/src/image/SurfacePipe.h:386
    #3 0x7f65b4ca13cd in mozilla::image::DownscalingFilter<mozilla::image::SurfaceSink>::DownscaleInputRow() /home/worker/workspace/build/src/image/DownscalingFilter.h:281
    #4 0x7f65b4ca0e87 in mozilla::image::DownscalingFilter<mozilla::image::SurfaceSink>::DoAdvanceRow() /home/worker/workspace/build/src/image/DownscalingFilter.h:245:7
    #5 0x7f65b4c9a4a8 in AdvanceRow /home/worker/workspace/build/src/image/SurfacePipe.h:131:19
    #6 0x7f65b4c9a4a8 in DoWritePixelsToRow<unsigned int, (lambda at /home/worker/workspace/build/src/image/decoders/nsPNGDecoder.cpp:913:49)> /home/worker/workspace/build/src/image/SurfacePipe.h:499

Milan, can you look/redirect as necessary?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(milan)
Product: Firefox → Core
Possible dupe of bug 1375842.
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
> Possible dupe of bug 1375842.

Let's run with this assumption for now.
Flags: needinfo?(milan)
See Also: → 1375842
Group: core-security → gfx-core-security
Depends on: 1375842
Whiteboard: Possible dupe of bug 1375842
The probable-dupe bug 1375842 is rated sec-high because we have a testcase that triggers it from web content. If this is not a duplicate then it would get a provisional sec-moderate rating because the user-action required makes it less likely to be useful in a wide-spread attack.
Keywords: csectype-bounds, sec-moderate
Whiteboard: Possible dupe of bug 1375842 → Possible dupe of bug 1375842 [gfx-noted]
This is fixed by the patch in bug 1375842.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: