Closed Bug 1490157 Opened 6 years ago Closed 3 years ago

[libFuzzer] Null-deref crash [@ mozilla::gfx::InlineTranslator::TranslateRecording]

Categories

(Core :: Graphics: WebRender, defect, P2)

defect

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox64 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Attachments

(1 file)

Attached file testcase.cpp
The attached call to wr_moz2d_render_cb causes a null dereference in m-c rev 0418c9abdeb18b216301e91022aa289a45d5b426.


==5253==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc8c7ef0998 bp 0x7ffd220a9d90 sp 0x7ffd220a9ca0 T0)
==5253==The signal is caused by a READ memory access.
==5253==Hint: address points to the zero page.
    #0 0x7fc8c7ef0997 in read /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp:35:9
    #1 0x7fc8c7ef0997 in Read /home/truber/src/m/u/obj/ff-asan-release/dist/include/mozilla/gfx/RecordingTypes.h:24
    #2 0x7fc8c7ef0997 in ReadElement<MemReader, unsigned int> /home/truber/src/m/u/obj/ff-asan-release/dist/include/mozilla/gfx/RecordingTypes.h:36
    #3 0x7fc8c7ef0997 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp:57
    #4 0x7fc8c8db0930 in Moz2DRenderCallback /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:434:22
    #5 0x7fc8c8db0930 in wr_moz2d_render_cb /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:510
    #6 0x7fc8d5318bbb in testMoz2DRenderCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/gfx/tests/fuzzing/TestMoz2D.cpp:91:3
    #7 0x55e97292d864 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #8 0x55e97290432f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:280:6
    #9 0x55e97290fe61 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:703:9
    #10 0x7fc8d3da2551 in mozilla::FuzzerRunner::Run(int*, char***) /home/truber/src/m/u/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #11 0x7fc8d3cb4545 in XREMain::XRE_mainStartup(bool*) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:3953:35
    #12 0x7fc8d3cc87a3 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:4912:12
    #13 0x7fc8d3cca31e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5019:21
    #14 0x55e9728716fc in do_main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:233:22
    #15 0x55e9728716fc in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:315
    #16 0x7fc8eb7fe82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #17 0x55e972771038 in _start (/home/truber/src/m/u/obj/ff-asan-release/dist/bin/firefox+0x37038)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp:35:9 in read
==5253==ABORTING
Priority: -- → P2
Priority: P2 → P3
Priority: P3 → P2
This is not exploitable. I don't think we should block on it.
Blocks: stage-wr-next
No longer blocks: stage-wr-trains

Hey Jesse,
Can you still reproduce this issue or can it be closed?

Flags: needinfo?(jschwartzentruber)

Marking this as Resolved > Incomplete due to the lack of info.
If anyone is able to reproduce this issue re-open it or file a new bug.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(jschwartzentruber)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: