Closed Bug 1377369 Opened 3 years ago Closed 3 years ago

Crash in memcpy | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges

Categories

(Core :: Networking: Cache, defect, critical)

56 Branch
Unspecified
Windows 10
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- disabled
firefox56 --- verified

People

(Reporter: ananuti, Assigned: michal)

References

Details

(Keywords: crash, csectype-bounds, sec-critical, Whiteboard: [necko-active])

Crash Data

Attachments

(3 files)

Attached file log.tar.xz
This bug was filed from the Socorro interface and is 
report bp-331dd3d0-9018-4f07-8088-bc9b80170630.
=============================================================

Frequent crashes with JSBC eager and most of them are from facebook.com.

Attached log modules: timestamp,rotate:50,nsHttp:5,nsSocketTransport:5,nsStreamPump:5,nsHostResolver:5,cache2:5,sync
Assignee: nobody → michal.novotny
Whiteboard: [necko-active]
Duplicate of this bug: 1373668
Duplicate of this bug: 1377682
Ekanan, thanks for the reports.

One thing I noticed, and which is also verified from crash stats reports is that when this crash appear the first time, it will likely appear on the same website repeatedly after.
Crash Signature: [@ memcpy | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] → [@ memcpy | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] [@ vcruntime140.dll@0xc387 | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges]
Crash Signature: [@ memcpy | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] [@ vcruntime140.dll@0xc387 | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] → [@ memcpy | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] [@ vcruntime140.dll@0xc387 | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] [@ vcruntime140.dll@0xc588 | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges] [@ vcruntime140.d…
Attached patch fixSplinter Review
CacheFileChunkBuffer::FillInvalidRanges uses aOther->mBufSize instead of aOther->mDataSize. mBufSize is size of the buffer (allocated as 2^n) and we want to access only mDataSize bytes. This bug never occurred before storing alt-data stuff because the new data was always bigger than the data read from the disk. This is no longer true.
Attachment #8883060 - Flags: review?(honzab.moz)
Comment on attachment 8883060 [details] [diff] [review]
fix

Review of attachment 8883060 [details] [diff] [review]:
-----------------------------------------------------------------

Michal says Honza might not be available on short notice. Patch looks simple enough. r+
Attachment #8883060 - Flags: review?(honzab.moz) → review+
Pushed by mnovotny@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/216b686cdbaa
Crash in memcpy | mozilla::net::CacheFileChunkBuffer::FillInvalidRanges, r=valentin
https://hg.mozilla.org/mozilla-central/rev/216b686cdbaa
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.