Closed Bug 1382851 Opened 7 years ago Closed 7 years ago

Invalid read @ libGLESv2.dll!rx::Image11::disassociateStorage()

Categories

(Core :: Graphics: CanvasWebGL, defect, P2)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 - wontfix
firefox57 + wontfix
firefox58 --- fixed

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(5 keywords, Whiteboard: [gfx-noted][fixed by bug 1371190][adv-main58+][post-critsmash-triage])

Crash Data

+++ This bug was initially created as a clone of Bug #1328762 +++

from bug 1328762 comment 45

attachment 8888403 [details]
crash report + log

During a retest of urls which have crashed in Bughunter since July 1, this crash was reproduced on Windows 7 32bit with build rv:56.0 20170719173022 on url:

https://sketchfab.com/models/67b90d3c88e244dc90917f46ef7ff9c5

exploitable rated this as high which fits with Crash address: 0xffffffffe5e5e621 and eax = 0xe5e5e5e5.

I would say this is the same as the original crash and this *isn't* fixed.

I've completed the retest for Windows 32bit builds and this was the only example of this crash I found so it is not very reproducible. I do not know on which branch this first appeared.

Note I do see a number of other crashes on sketchfab with stacks similar to ucrtbase.dll ucrtbase.dll ucrtbase.dll ucrtbase.dll rx::Image11::createStagingTexture in case that is interesting. I can provide more details if you need  them.
Group: core-security → gfx-core-security
Flags: needinfo?(jgilbert)
Keywords: csectype-nullptr
We may need a full ANGLE update (in the works) for this then.
Milan, is there a bug we can hook p here for the angle update?
Flags: needinfo?(milan)
(In reply to Jim Mathies [:jimm] from comment #2)
> Milan, is there a bug we can hook up here for the angle update?

Bug 1371190.  Not sure if we should set the dependency?
Flags: needinfo?(milan)
We don't want to land an ANGLE update in 57, stability being what it needs to be, so this will await 58.
Flags: needinfo?(jgilbert)
-> sec-high given the signature.  We'll want to track for 58, and it would be best if we're ready to land at the start of 58 (unless security wants us to wait -- but an entire angle update isn't disclosing much, especially if landed on a bug of "Update Angle to X.Y"
Keywords: sec-criticalsec-high
Hey Jeff, I noticed the ANGLE update in bug 1371190 is waiting for your review and we want this early in the 58 cycle.
Can you help us moving this along?

(Commenting in this separate security bug, so we don't draw extra attention in the bug)
Flags: needinfo?(jgilbert)
(In reply to Frederik Braun [:freddyb] from comment #6)
> Hey Jeff, I noticed the ANGLE update in bug 1371190 is waiting for your
> review and we want this early in the 58 cycle.
> Can you help us moving this along?
> 
> (Commenting in this separate security bug, so we don't draw extra attention
> in the bug)

It is moving.
Flags: needinfo?(jgilbert)
Priority: -- → P2
Whiteboard: [gfx-noted]
fwiw, I retested a number of urls where this reproduced. I do not see this on Nightly/58 but do on Beta/57 where the angle update hasn't happened. I think we can call this fixed by bug 1371190.
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58: --- → fixed
status-firefox-esr52: --- → ?
Resolution: --- → FIXED
Whiteboard: [gfx-noted] → [gfx-noted][fixed by bug 1371190]
Target Milestone: --- → mozilla58
Group: gfx-core-security → core-security-release
Whiteboard: [gfx-noted][fixed by bug 1371190] → [gfx-noted][fixed by bug 1371190][adv-main58+]
Flags: qe-verify-
Whiteboard: [gfx-noted][fixed by bug 1371190][adv-main58+] → [gfx-noted][fixed by bug 1371190][adv-main58+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.