[libFuzzer] Crash on unknown address [@ mozilla::gfx::InlineTranslator::TranslateRecording]

RESOLVED FIXED in Firefox 66

Status

()

P2
critical
RESOLVED FIXED
6 months ago
3 months ago

People

(Reporter: truber, Assigned: mattwoodrow)

Tracking

(Blocks: 2 bugs, {crash, csectype-wildptr, testcase})

Trunk
mozilla66
crash, csectype-wildptr, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox64 disabled, firefox65 disabled, firefox66 fixed)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 months ago
Posted file testcase.cpp
The attached call to wr_moz2d_render_cb causes a crash on unknown address in m-c rev 1169e8a4ca2b.

==6964==ERROR: AddressSanitizer: SEGV on unknown address 0x615f000334c1 (pc 0x7f1aa9ea0e50 bp 0x7ffed24fd3f0 sp 0x7ffed24fd300 T0)
==6964==The signal is caused by a READ memory access.
    #0 0x7f1aa9ea0e4f in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp
    #1 0x7f1aaad6222c in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, unsigned short const*, mozilla::wr::TypedPoint2D<unsigned short, mozilla::wr::Tiles> const*, mozilla::wr::TypedRect<unsigned int, mozilla::wr::DevicePixel> const*, mozilla::Range<unsigned char>) /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:433:22
    #2 0x7f1aaad5dcdc in wr_moz2d_render_cb /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:473:10
    #3 0x7f1ab72d097c in testMoz2DRenderCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/gfx/tests/fuzzing/moz2d/TestMoz2D.cpp:87:3
    #4 0x561b752ba864 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #5 0x561b7529132f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:280:6
    #6 0x561b7529ce61 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:703:9
    #7 0x7f1ab5d59611 in mozilla::FuzzerRunner::Run(int*, char***) /home/truber/src/m/u/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #8 0x7f1ab5c6b695 in XREMain::XRE_mainStartup(bool*) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:3997:35
    #9 0x7f1ab5c7f8f3 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:4956:12
    #10 0x7f1ab5c8146e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5063:21
    #11 0x561b751fe6fc in do_main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:233:22
    #12 0x561b751fe6fc in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:315
    #13 0x7f1acd7ea82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x561b750fe038 in _start (/home/truber/src/m/u/obj/ff-asan-release/dist/bin/firefox+0x37038)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)
==6964==ABORTING
Blocks: 1386669
Priority: -- → P2
Priority: P2 → P3
Priority: P3 → P2
Miko, this should be easy to pick up in between other things.
Assignee: nobody → mikokm
(Assignee)

Updated

3 months ago
Assignee: mikokm → matt.woodrow
(Assignee)

Comment 2

3 months ago
extra_end gets copied to offset, which can be used in the following command (and needs to be sanitized).

Comment 3

3 months ago
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e4571515944b
Verify values read from the input, even when we decide we don't need to draw the current command. r=jrmuizel

Comment 4

3 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/e4571515944b
Status: NEW → RESOLVED
Last Resolved: 3 months ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
status-firefox65: --- → ?
status-firefox64: affected → disabled
status-firefox65: ? → disabled
status-firefox-esr60: --- → unaffected
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.