1377895 - Skia filter heap-buffer-overflow.

Status: RESOLVED DUPLICATE of bug 1375842

(Core :: Graphics, defect)

Description

[lipe]

Attachment: image.jpg

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46
Build ID: 20161229190117

Steps to reproduce:

Opening the following html content with the attached jpeg file causes a crash reported as a heap-buffer-overflow on a Nightly ASAN build:

<!DOCTYPE html>
<html>
<head>
<meta content="no-cache" http-equiv="Cache-Control"/>
<meta charset="utf-8"/>
<script>

function test() {
  var img = document.createElement("img");
  
  img.style.marginRight = "auto";
  img.style.marginLeft  = "auto";
  img.style.maxWidth    = "100%";
  img.setAttribute("width", "250");
  img.src = "image.jpg";
  document.body.appendChild(img);
}

</script>
</head>

<body onload="test()"></body>
</html>


Actual results:

=================================================================
==15952==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900024b77f at pc 0x7f8d2e3d6729 bp 0x7f8d17207430 sp 0x7f8d17207428
READ of size 32 at 0x61900024b77f thread T25 (ImgDecoder #6)
    #0 0x7f8d2e3d6728 in hsw::convolve_vertically(short const*, int, unsigned char* const*, int, unsigned char*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkOpts_hsw.cpp:57:54
    #1 0x7f8d27c3e696 in mozilla::image::Downscaler::DownscaleInputLine() /home/worker/workspace/build/src/image/Downscaler.cpp:283:12
    #2 0x7f8d27c3e001 in mozilla::image::Downscaler::CommitRow() /home/worker/workspace/build/src/image/Downscaler.cpp:207:7
    #3 0x7f8d27d42696 in mozilla::image::nsJPEGDecoder::OutputScanlines(bool*) /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:718:22
    #4 0x7f8d27d40026 in mozilla::image::nsJPEGDecoder::ReadJPEGData(char const*, unsigned long) /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:499:9
    #5 0x7f8d27d78be2 in operator() /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:194:16
    #6 0x7f8d27d78be2 in mozilla::Maybe<mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> > mozilla::image::StreamingLexer<mozilla::image::nsJPEGDecoder::State, 16ul>::ContinueUnbufferedRead<mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_7>(char const*, unsigned long, unsigned long, mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_7) /home/worker/workspace/build/src/image/StreamingLexer.h:541
    #7 0x7f8d27d39739 in UnbufferedRead<(lambda at /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:191:21)> /home/worker/workspace/build/src/image/StreamingLexer.h:485:12
    #8 0x7f8d27d39739 in Lex<(lambda at /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:191:21)> /home/worker/workspace/build/src/image/StreamingLexer.h:453
    #9 0x7f8d27d39739 in mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:190
    #10 0x7f8d27c26ad8 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /home/worker/workspace/build/src/image/Decoder.cpp:130:20
    #11 0x7f8d27c3479e in mozilla::image::DecodedSurfaceProvider::Run() /home/worker/workspace/build/src/image/DecodedSurfaceProvider.cpp:139:34
    #12 0x7f8d27c55281 in mozilla::image::DecodePoolWorker::Run() /home/worker/workspace/build/src/image/DecodePool.cpp:178:23
    #13 0x7f8d2562ffd8 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
    #14 0x7f8d25636128 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
    #15 0x7f8d26415590 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:339:20
    #16 0x7f8d26370be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
    #17 0x7f8d26370be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
    #18 0x7f8d26370be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
    #19 0x7f8d25627d1d in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:504:11
    #20 0x7f8d3fb30423 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #21 0x7f8d43120683 in start_thread (/lib64/libpthread.so.0+0x7683)
    #22 0x7f8d421b0efc in __clone (/lib64/libc.so.6+0x106efc)

0x61900024b77f is located 8 bytes to the right of 1015-byte region [0x61900024b380,0x61900024b777)
allocated by thread T25 (ImgDecoder #6) here:
    #0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f8d27c3d428 in operator new[] /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:268:12
    #2 0x7f8d27c3d428 in mozilla::image::Downscaler::BeginFrame(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, unsigned char*, bool, bool) /home/worker/workspace/build/src/image/Downscaler.cpp:131
    #3 0x7f8d27d3f8f6 in mozilla::image::nsJPEGDecoder::ReadJPEGData(char const*, unsigned long) /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:396:34
    #4 0x7f8d27d78be2 in operator() /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:194:16
    #5 0x7f8d27d78be2 in mozilla::Maybe<mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> > mozilla::image::StreamingLexer<mozilla::image::nsJPEGDecoder::State, 16ul>::ContinueUnbufferedRead<mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_7>(char const*, unsigned long, unsigned long, mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_7) /home/worker/workspace/build/src/image/StreamingLexer.h:541
    #6 0x7f8d27d39739 in UnbufferedRead<(lambda at /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:191:21)> /home/worker/workspace/build/src/image/StreamingLexer.h:485:12
    #7 0x7f8d27d39739 in Lex<(lambda at /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:191:21)> /home/worker/workspace/build/src/image/StreamingLexer.h:453
    #8 0x7f8d27d39739 in mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) /home/worker/workspace/build/src/image/decoders/nsJPEGDecoder.cpp:190
    #9 0x7f8d27c26ad8 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) /home/worker/workspace/build/src/image/Decoder.cpp:130:20
    #10 0x7f8d27c3479e in mozilla::image::DecodedSurfaceProvider::Run() /home/worker/workspace/build/src/image/DecodedSurfaceProvider.cpp:139:34
    #11 0x7f8d27c55281 in mozilla::image::DecodePoolWorker::Run() /home/worker/workspace/build/src/image/DecodePool.cpp:178:23
    #12 0x7f8d2562ffd8 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
    #13 0x7f8d25636128 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
    #14 0x7f8d26415590 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:339:20
    #15 0x7f8d26370be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
    #16 0x7f8d26370be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
    #17 0x7f8d26370be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
    #18 0x7f8d25627d1d in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:504:11
    #19 0x7f8d3fb30423 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #20 0x7f8d43120683 in start_thread (/lib64/libpthread.so.0+0x7683)

Thread T25 (ImgDecoder #6) created by T0 (Web Content) here:
    #0 0x4a3dc6 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x7f8d3fb2d1c9 in _PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f8d3fb2cdde in PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f8d2562a26e in nsThread::Init(nsACString const&) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:686:8
    #4 0x7f8d256352df in nsThreadManager::NewNamedThread(nsACString const&, unsigned int, nsIThread**) /home/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:273:22
    #5 0x7f8d25638873 in NS_NewNamedThread(nsACString const&, nsIThread**, nsIRunnable*, unsigned int) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:113:45
    #6 0x7f8d27c31c65 in mozilla::image::DecodePoolImpl::CreateThread(nsIThread**, nsIRunnable*) /home/worker/workspace/build/src/image/DecodePool.cpp:133:12
    #7 0x7f8d27c313d3 in mozilla::image::DecodePool::DecodePool() /home/worker/workspace/build/src/image/DecodePool.cpp:262:26
    #8 0x7f8d27c308a0 in Singleton /home/worker/workspace/build/src/image/DecodePool.cpp:214:22
    #9 0x7f8d27c308a0 in mozilla::image::DecodePool::Initialize() /home/worker/workspace/build/src/image/DecodePool.cpp:206
    #10 0x7f8d27cf6ed5 in mozilla::image::EnsureModuleInitialized() /home/worker/workspace/build/src/image/build/nsImageModule.cpp:104:3
    #11 0x7f8d255ea258 in Load /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:779:21
    #12 0x7f8d255ea258 in nsFactoryEntry::GetFactory() /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1797
    #13 0x7f8d255eb6dd in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1099:41
    #14 0x7f8d255e2c3b in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1458:10
    #15 0x7f8d255f13c1 in CallGetService /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43
    #16 0x7f8d255f13c1 in nsGetServiceByContractID::operator()(nsID const&, void**) const /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:280
    #17 0x7f8d254be963 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /home/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:95:7
    #18 0x7f8d27a0723c in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:555:5
    #19 0x7f8d27a0723c in gfxPlatform::Init() /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:803
    #20 0x7f8d27a08d69 in gfxPlatform::InitChild(mozilla::gfx::ContentDeviceData const&) /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:564:3
    #21 0x7f8d2b245baf in InitGraphicsDeviceData /home/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1084:3
    #22 0x7f8d2b245baf in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(mozilla::dom::XPCOMInitData const&, mozilla::dom::ipc::StructuredCloneData const&, nsTArray<LookAndFeelInt>&&) /home/worker/workspace/build/src/dom/ipc/ContentChild.cpp:540
    #23 0x7f8d26bd9c06 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7051:20
    #24 0x7f8d2640c53e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2093:25
    #25 0x7f8d26409354 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:17
    #26 0x7f8d2640afa4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1888:5
    #27 0x7f8d2640b588 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1921:15
    #28 0x7f8d2562ffd8 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
    #29 0x7f8d25636128 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
    #30 0x7f8d264141f1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #31 0x7f8d26370be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
    #32 0x7f8d26370be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
    #33 0x7f8d26370be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
    #34 0x7f8d2ba1618f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #35 0x7f8d2fc48f07 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:895:22
    #36 0x7f8d26370be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
    #37 0x7f8d26370be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
    #38 0x7f8d26370be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
    #39 0x7f8d2fc4896d in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:711:34
    #40 0x4eb813 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #41 0x4eb813 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #42 0x7f8d420ca7cf in __libc_start_main (/lib64/libc.so.6+0x207cf)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/skia/skia/src/opts/SkOpts_hsw.cpp:57:54 in hsw::convolve_vertically(short const*, int, unsigned char* const*, int, unsigned char*, bool)
Shadow bytes around the buggy address:
  0x0c3280041690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800416a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800416b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800416c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c32800416d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c32800416e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07[fa]
  0x0c32800416f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280041700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280041710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280041720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280041730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15952==ABORTING

Comment 1

[:Gijs (he/him)]

Milan/Dan, dupe of bug 1377005 / bug 1375842?

Comment 2

[Milan Sreckovic [:milan] (needinfo for best results)]

Certainly looks like it.

Comment 4

[Jesse Schwartzentruber (:truber)]

I'm not able to repro this on 56 to confirm the dupe. The report looks like it's from 49.

Comment 5

[lipe]

(In reply to Jesse Schwartzentruber (:truber) from comment #4)
> I'm not able to repro this on 56 to confirm the dupe. The report looks like
> it's from 49.

I did the tests and reproduced using both builds from here: 
https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer

The confusing user-agent up there is just because I used a different browser to file the bug.