Closed
Bug 1478585
Opened 6 years ago
Closed 11 months ago
AddressSanitizer: heap-buffer-overflow [@ SkBlitLCD16OpaqueRow_SSE2] with READ of size 8
Categories
(Core :: Graphics, defect, P3)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: decoder, Unassigned)
Details
(4 keywords)
Attachments
(1 file)
|
22.15 KB,
text/plain
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 63.0a1-20180724223402-https://hg.mozilla.org/mozilla-central/rev/dd386b5b9fa7f5cd6dc4bbbfa0503b3eb2969af5. For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
||
Comment 2•6 years ago
|
||
Based on the stack it looks like this is doing math on values that will result in graphic output and not do pointer math or leak memory values into anything content-accessible.
Keywords: csectype-bounds,
sec-moderate
|
||
Updated•6 years ago
|
Group: core-security → gfx-core-security
|
||
Comment 3•6 years ago
|
||
I pored over this one, and based on the stack, all the code in the way looks valid and is not doing anything funny that I can overtly see causing this. Allocations look valid and the iteration that happens within the allocated memory looks valid. It would really help if we had some way to reproduce this via a testcase, since I don't believe the cause is obvious just from the stacks and code inspection.
|
|
Reporter | |
Updated•6 years ago
|
No longer blocks: asan-nightly-project
|
||
Comment 4•6 years ago
|
||
Marking P3 as it doesn't sound terrible, or actionable. Please raise if that changes. This might go away with a pending Skia update.
Priority: -- → P3
|
||
Comment 5•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > Based on the stack it looks like this is doing math on values that will > result in graphic output and not do pointer math or leak memory values into > anything content-accessible. Graphic output can be captured (often) or indirectly depended on, and if not melded into a lot of other gfx data extracted back to binary data (perhaps with some fuzz, but careful selection of the gfx data it's combined with can let value be extracted. That said, I don't know this code, and I haven't pulled a crashdump from it and looked at the dump/disasm
|
||
Updated•6 years ago
|
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Updated•11 months ago
|
Severity: S2 → S3
|
||
Comment 6•11 months ago
|
||
Let's just close this. I don't think having an open bug with a one off ASan report from 5 years ago is useful. Somebody looked at it and couldn't figure anything out.
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → INCOMPLETE
|
|
||
Updated•2 months ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•