Closed Bug 1462682 Opened 7 years ago Closed 6 years ago

Firefox/Skia: Heap overflow in SkScan::FillPath due to precision error

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 60+ fixed
firefox-esr60 60+ fixed
firefox60 + fixed
firefox61 + fixed
firefox62 + fixed

People

(Reporter: ifratric, Assigned: lsalzman)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [Fix shipping in Chrome 67 next week (CVE-2018-6126)])

Attachments

(3 files)

test_ff.html
741 bytes, text/html
Details
Skia path bounds rounding fix
1.71 KB, patch
rhunt
: review+
RyanVM
: approval-mozilla-beta+
jcristau
: approval-mozilla-release+
RyanVM
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Diff | Splinter Review
Skia path bounds rounding fix (52 ESR)
2.56 KB, patch
lsalzman
: review+
RyanVM
: approval-mozilla-esr52+
Details | Diff | Splinter Review
Attached file test_ff.html
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Steps to reproduce: ***Please note: This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.*** With any fix, please give credit for identifying the vulnerability to Ivan Fratric of Google Project Zero. There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in Firefox by rendering a specially crafted SVG image. A test sample is attached. It crashes the current Firefox Asan build (downloaded from https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer) with the following report: ================================================================= ==24515==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62300009f0cc at pc 0x7f73ddfdaaaa bp 0x7ffe0d9db1d0 sp 0x7ffe0d9db1c8 WRITE of size 4 at 0x62300009f0cc thread T0 (file:// Content) #0 0x7f73ddfdaaa9 in memsetT<unsigned int> /builds/worker/workspace/build/src/gfx/skia/skia/src/opts/SkUtils_opts.h:29:23 #1 0x7f73ddfdaaa9 in avx::memset32(unsigned int*, unsigned int, int) /builds/worker/workspace/build/src/gfx/skia/skia/src/opts/SkUtils_opts.h:37 #2 0x7f73de4bd09d in sk_memset32 /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkUtils.h:24:5 #3 0x7f73de4bd09d in store /builds/worker/workspace/build/src/gfx/skia/skia/src/shaders/gradients/Sk4fGradientPriv.h:80 #4 0x7f73de4bd09d in shadeSpanInternal<unsigned int, (anonymous namespace)::ApplyPremul::True, SkShader::TileMode::kClamp_TileMode> /builds/worker/workspace/build/src/gfx/skia/skia/src/shaders/gradients/Sk4fLinearGradient.cpp:254 #5 0x7f73de4bd09d in shadePremulSpan<unsigned int, (anonymous namespace)::ApplyPremul::True> /builds/worker/workspace/build/src/gfx/skia/skia/src/shaders/gradients/Sk4fLinearGradient.cpp:209 #6 0x7f73de4bd09d in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /builds/worker/workspace/build/src/gfx/skia/skia/src/shaders/gradients/Sk4fLinearGradient.cpp:181 #7 0x7f73ddd6c434 in SkARGB32_Shader_Blitter::blitH(int, int, int) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:377:25 #8 0x7f73de8163bc in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_Path.cpp:261:30 #9 0x7f73de815021 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_Path.cpp:471:9 #10 0x7f73de817d02 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_Path.cpp:656:9 #11 0x7f73dddfa9a5 in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:765:9 #12 0x7f73de3624d2 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1018:9 #13 0x7f73de36310a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1131:11 #14 0x7f73de0252f3 in drawPath /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.h:58:15 #15 0x7f73de0252f3 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:328 #16 0x7f73de056e91 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2170:23 #17 0x7f73de04ca51 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:1760:11 #18 0x7f73d5c672ea in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) /builds/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:975:12 #19 0x7f73dc254428 in mozilla::SVGGeometryFrame::Render(gfxContext*, unsigned int, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&) /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:807:21 #20 0x7f73dc25390b in mozilla::SVGGeometryFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:288:5 #21 0x7f73dc251aa8 in nsDisplaySVGGeometry::Paint(nsDisplayListBuilder*, gfxContext*) /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:131:43 #22 0x7f73dc57fd8c in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6434:15 #23 0x7f73dc582354 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6591:19 #24 0x7f73d637d11f in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /builds/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:158:5 #25 0x7f73d638095d in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /builds/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:314:3 #26 0x7f73d63ba0be in mozilla::layers::ClientContainerLayer::RenderLayer() /builds/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:58:29 #27 0x7f73d6376abb in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:359:13 #28 0x7f73d6377614 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:423:3 #29 0x7f73dc6081d8 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2800:19 #30 0x7f73dbd4beae in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3831:12 #31 0x7f73dbc3d027 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6312:5 #32 0x7f73db5eb09a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #33 0x7f73db5e9e9c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #34 0x7f73db5ef4f6 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #35 0x7f73dbbb64e5 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2039:11 #36 0x7f73dbbc32bb in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:13 #37 0x7f73dbbc32bb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301 #38 0x7f73dbbc2e99 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5 #39 0x7f73dbbc59de in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5 #40 0x7f73dbbc59de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:673 #41 0x7f73dbbc55de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:574:9 #42 0x7f73dc46c82f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #43 0x7f73d51b8464 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #44 0x7f73d5090373 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28 #45 0x7f73d4bff78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2136:25 #46 0x7f73d4bfc6d2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2066:17 #47 0x7f73d4bfdf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1912:5 #48 0x7f73d4bfe568 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1945:15 #49 0x7f73d3d0bb66 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14 #50 0x7f73d3d27aa0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #51 0x7f73d4c07416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #52 0x7f73d4b5b8b9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #53 0x7f73d4b5b8b9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #54 0x7f73d4b5b8b9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #55 0x7f73db678e2a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #56 0x7f73df8cd67b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #57 0x7f73d4b5b8b9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #58 0x7f73d4b5b8b9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #59 0x7f73d4b5b8b9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #60 0x7f73df8cd040 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #61 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #62 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282 #63 0x7f73f33fe2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #64 0x420f48 in _start (/usr/local/google/home/ifratric/p0/firefox/firefox/firefox+0x420f48) 0x62300009f0cc is located 0 bytes to the right of 6092-byte region [0x62300009d900,0x62300009f0cc) allocated by thread T0 (file:// Content) here: #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4f26fd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f73ddd6b9cf in sk_malloc_throw /builds/worker/workspace/build/src/gfx/skia/skia/include/private/SkMalloc.h:59:12 #3 0x7f73ddd6b9cf in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:336 #4 0x7f73ddd626ec in make<SkARGB32_Shader_Blitter, const SkPixmap &, const SkPaint &, SkShaderBase::Context *&> /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkArenaAlloc.h:103:30 #5 0x7f73ddd626ec in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBlitter.cpp:1053 #6 0x7f73de361b0a in choose /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkAutoBlitterChoose.h:34:20 #7 0x7f73de361b0a in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:959 #8 0x7f73de36310a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1131:11 #9 0x7f73de0252f3 in drawPath /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.h:58:15 #10 0x7f73de0252f3 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:328 #11 0x7f73de056e91 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2170:23 #12 0x7f73de04ca51 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /builds/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:1760:11 #13 0x7f73d5c672ea in mozilla::gfx::DrawTargetSkia::Fill(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&) /builds/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:975:12 #14 0x7f73dc254428 in mozilla::SVGGeometryFrame::Render(gfxContext*, unsigned int, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&) /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:807:21 #15 0x7f73dc25390b in mozilla::SVGGeometryFrame::PaintSVG(gfxContext&, mozilla::gfx::BaseMatrix<double> const&, mozilla::image::imgDrawingParams&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:288:5 #16 0x7f73dc251aa8 in nsDisplaySVGGeometry::Paint(nsDisplayListBuilder*, gfxContext*) /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:131:43 #17 0x7f73dc57fd8c in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6434:15 #18 0x7f73dc582354 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6591:19 #19 0x7f73d637d11f in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /builds/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:158:5 #20 0x7f73d638095d in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /builds/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:314:3 #21 0x7f73d63ba0be in mozilla::layers::ClientContainerLayer::RenderLayer() /builds/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:58:29 #22 0x7f73d6376abb in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:359:13 #23 0x7f73d6377614 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:423:3 #24 0x7f73dc6081d8 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2800:19 #25 0x7f73dbd4beae in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3831:12 #26 0x7f73dbc3d027 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6312:5 #27 0x7f73db5eb09a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #28 0x7f73db5e9e9c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #29 0x7f73db5ef4f6 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #30 0x7f73dbbb64e5 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2039:11 #31 0x7f73dbbc32bb in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:13 #32 0x7f73dbbc32bb in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301 #33 0x7f73dbbc2e99 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5 #34 0x7f73dbbc59de in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5 #35 0x7f73dbbc59de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:673 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/gfx/skia/skia/src/opts/SkUtils_opts.h:29:23 in memsetT<unsigned int> Shadow bytes around the buggy address: 0x0c468000bdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c468000bdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c468000bde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c468000bdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c468000be00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c468000be10: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa 0x0c468000be20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c468000be30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c468000be40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c468000be50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c468000be60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24515==ABORTING Details: When Skia fills a path with antialiasing turned off, SkScan::FillPath gets called https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=609 SkScan::FillPath first checks that the path fits in the current drawing area (Clip). This happens in https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=645 If the clipping test passes at this point, then no other clipping checks will be performed when drawing this path. However, due to precision errors, it is possible that the drawing algorith is going to end up drawing outside of the current drawing area, which results in a heap overflow. In this case, the precision errors happens when drawing cubic splines. In SkCubicEdge::setCubicWithoutUpdate, various factors needed to draw the spline are calculated. For example, on this line https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=430 when calculating fCDx, some precision will be lost because C and D end up being shifted to the right. Because of that, it is possible that the fCDx value is going to end up smaller than it should be. The (too small) value of fCDx then gets added to the X coordinate here https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=471 it then gets propagated here https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=492 and here https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?g=0&rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=116 where fX ends up being -2**15 (this corresponds to -0.5 in SkFixed type) and fDX ends up negative. When a spline (now approximated as a line segment) gets drawn in walk_convex_edges or walk_edges, fDX gets added to fX https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=267 then the resulting value gets rounded https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=249 and becomes -1, which leads to an out-of-bounds write. Example Skia program that demonstrates the issue: Note: it should be built with ASan enabled. ================================================= #include "SkCanvas.h" #include "SkPath.h" #include "SkBitmap.h" #include "SkGradientShader.h" int main (int argc, char * const argv[]) { int width = 100; int height = 100; SkBitmap bitmap; bitmap.allocN32Pixels(width, height); SkCanvas bitmapcanvas(bitmap); SkCanvas *canvas = &bitmapcanvas; SkPaint p; p.setAntiAlias(false); p.setStyle(SkPaint::kFill_Style); SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)}; SkPoint points[2] = { SkPoint::Make(0.0f, 0.0f), SkPoint::Make(256.0f, 256.0f) }; p.setShader(SkGradientShader::MakeLinear( points, colors, nullptr, 2, SkShader::kClamp_TileMode, 0, nullptr)); SkPath path; path.moveTo(-30/64.0, -31/64.0); path.cubicTo(-31/64.0, -31/64,-31/64.0, -31/64,-31/64.0, 100); path.lineTo(100,100); path.lineTo(100,-31/64.0); canvas->drawPath(path, p); return 0; } ================================================= Running this results in the following UBSan error: ../../include/core/SkPixmap.h:386:83: runtime error: left shift of negative value -1 SUMMARY: AddressSanitizer: undefined-behavior ../../include/core/SkPixmap.h:386:83 in If the program is compiled without undefined-behavior checks, then running it generates the following ASan report ================================================================= ==18863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000021d0 at pc 0x0000018df91a bp 0x7ffcdc7708d0 sp 0x7ffcdc7708c8 WRITE of size 4 at 0x6140000021d0 thread T0 #0 0x18df919 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 #1 0x18df919 in void (anonymous namespace)::ramp<unsigned int, ((anonymous namespace)::ApplyPremul)0>((anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&, unsigned int*, int, (anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:45 #2 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadeSpanInternal<unsigned int, ((anonymous namespace)::ApplyPremul)0, (SkShader::TileMode)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:256:13 #3 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadePremulSpan<unsigned int, ((anonymous namespace)::ApplyPremul)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:209 #4 0x18d3eb1 in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:181 #5 0x167213d in SkARGB32_Shader_Blitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:377:25 #6 0xd1cf47 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:261:30 #7 0xd1b364 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:471:9 #8 0xd1e625 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:656:9 #9 0xd0c39a in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:827:9 #10 0xb9ae3d in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1024:9 #11 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11 #12 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15 #13 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411 #14 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23 #15 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11 #16 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11 #17 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #18 0x770659 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x770659) 0x6140000021d0 is located 0 bytes to the right of 400-byte region [0x614000002040,0x6140000021d0) allocated by thread T0 here: #0 0x825b20 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x825b20) #1 0xdf1d74 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:69:13 #2 0x1671202 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/SkMalloc.h:59:12 #3 0x1671202 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:336 #4 0x16643f9 in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShaderBase::Context*&>(SkPixmap const&, SkPaint const&, SkShaderBase::Context*&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:103:30 #5 0x1663681 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter.cpp:1119:34 #6 0xb9b4fe in SkAutoBlitterChoose::choose(SkDraw const&, SkMatrix const*, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkAutoBlitterChoose.h:36:20 #7 0xb9aa59 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:966:34 #8 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11 #9 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15 #10 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411 #11 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23 #12 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11 #13 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11 #14 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) Shadow bytes around the buggy address: 0x0c287fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff8430: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa 0x0c287fff8440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18863==ABORTING
Please note that, since the root cause of the issue is in the Skia library, a similar report has already been filed in the Chromium bug tracker. You might want to sync with the Skia developers wrt the fix.
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics
Flags: needinfo?(lsalzman)
Product: Firefox → Core
This appears to be chrome bug 844457 which has the following patch (twice? different branches?) https://skia.googlesource.com/skia/+/861b52ea98d703786ce485389db07e58759c1792%5E%21/#F0 https://skia.googlesource.com/skia/+/78b60f4ff13b83da98ae2bca85aaef0a98b61098%5E%21/#F0 This appears to have been merged into m67 which is shipping soon. Might be worth a 60.0.x ride-along given that (they usually un-hide their bugs soon after, and Project Zero will probably consider that "a patch has been made broadly available (whichever is earlier)"). I assume ESR-52 is affected but I haven't checked.
Assignee: nobody → lsalzman
status-firefox60: --- → affected
status-firefox61: --- → affected
status-firefox62: --- → affected
status-firefox-esr52: --- → affected
status-firefox-esr60: --- → affected
tracking-firefox60: --- → ?
tracking-firefox61: --- → +
tracking-firefox62: --- → +
tracking-firefox-esr52: --- → 61+
tracking-firefox-esr60: --- → 61+
Keywords: csectype-bounds, sec-high
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=844457
Whiteboard: [Fix shipping in Chrome 67 next week]
Please note that the patch in chrome bug 844457 is incomplete - it patches Skia config used in Chrome but is insufficient with SK_RASTERIZE_EVEN_ROUNDING defined (which, AFAIK, Firefox uses). I opened chrome bug 845489 to address this on their end.
Flags: needinfo?(lsalzman)
Attachment #8980161 - Flags: review?(rhunt) → review+
Comment on attachment 8980161 [details] [diff] [review] Skia path bounds rounding fix [Security approval request comment] > How easily could an exploit be constructed based on the patch? > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Without access to the actual bug report, the patch doesn't really explain much about how to trigger this, other than that paths are involved. It would require some dissection of how Skia path rasterization works to understand how to exploit this. > Which older supported branches are affected by this flaw? > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This affects at least all branches using Skia m66, which is 60+. It miiiight affect ESR 52 as well, which only uses Skia m59, though it would be easy enough to adapt the patch to fix that branch as well. > How likely is this patch to cause regressions; how much testing does it need? Unlikely, as the patch is just slightly enlarging the calculated bounding box of a path that Skia uses when rasterizing paths. The bug here is essentially that the bounding box is calculated too small, which causes Skia to rasterize outside it when rasterizing the path. So there are no real semantic changes going on here, just adjusting the bounds within which the rasterization is working.
Attachment #8980161 - Flags: sec-approval?
Sec-approval+ for trunk. We should get Beta and ESR60 patches nominated as well. I'll leave ESR52 up to release management.
status-firefox60: affectedwontfix
tracking-firefox60: ? → ---
Attachment #8980161 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/integration/mozilla-inbound/rev/784deba1907770c8f4c3482509ae99d474c4439f https://hg.mozilla.org/mozilla-central/rev/784deba19077
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
ni?lee for beta/esr uplift requests
Flags: needinfo?(lsalzman)
Comment on attachment 8980161 [details] [diff] [review] Skia path bounds rounding fix Approval Request Comment [Feature/Bug causing the regression]: Pre-existing [User impact if declined]: sec-high buffer overrun [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: [Is the change risky?]: no [Why is the change risky/not risky?]: Just makes rasterization bound estimates more conservative to avoid overruns. [String changes made/needed]: none
Flags: needinfo?(lsalzman)
Attachment #8980161 - Flags: approval-mozilla-esr60?
Attachment #8980161 - Flags: approval-mozilla-beta?
Just a simple backport to 52 ESR.
Attachment #8980744 - Flags: review+
Attachment #8980744 - Flags: approval-mozilla-esr52?
Comment on attachment 8980161 [details] [diff] [review] Skia path bounds rounding fix Fixes a soon-to-be-disclosed Skia sec bug. Approved for 61.0b9, ESR 60.1, and ESR 52.9.
Attachment #8980161 - Flags: approval-mozilla-esr60?
Attachment #8980161 - Flags: approval-mozilla-esr60+
Attachment #8980161 - Flags: approval-mozilla-beta?
Attachment #8980161 - Flags: approval-mozilla-beta+
Attachment #8980744 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Does this bug affect firefox on android? Dan, just to make sure, would you still like this in 60.0.2?
Flags: needinfo?(lsalzman)
Flags: needinfo?(dveditz)
Comment on attachment 8980161 [details] [diff] [review] Skia path bounds rounding fix I checked with Dan on IRC; let's take this for 60.0.2.
Flags: needinfo?(dveditz)
Attachment #8980161 - Flags: approval-mozilla-release+
It would affect Android, yes.
Flags: needinfo?(lsalzman)
Al, Dan, should we also uplift this to ESR52 for this next dot release? We could start a ESR 52.8.1 build, if you think we should not wait until 52.9 release at the end of June.
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
Landed at Liz' request: https://hg.mozilla.org/releases/mozilla-esr52/rev/e972d4086a13 (FIREFOX_ESR_52_8_X_RELBRANCH)
tracking-firefox-esr52: 61+60+
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
From discussion on IRC with Dan and Lee, going ahead with esr52 build.
We have tested this on Fennec 60.0.2 and we haven't found any issues. If you think more testing is needed, please provide any steps to reproduce the issue. Thank you.
Group: core-security-release
Google used CVE-2018-6126 for this bug.
Whiteboard: [Fix shipping in Chrome 67 next week] → [Fix shipping in Chrome 67 next week (CVE-2018-6126)]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: