Closed Bug 1490702 Opened 7 years ago Closed 7 years ago

[libFuzzer] Crash on unknown address [@ mozilla::gfx::InlineTranslator::TranslateRecording]

Categories

(Core :: Graphics: WebRender, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- disabled
firefox65 --- disabled
firefox66 --- fixed

People

(Reporter: truber, Assigned: mattwoodrow)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-wildptr, testcase)

Attachments

(2 files)

Attached file testcase.cpp
The attached call to wr_moz2d_render_cb causes a crash on unknown address in m-c rev 1169e8a4ca2b. ==6964==ERROR: AddressSanitizer: SEGV on unknown address 0x615f000334c1 (pc 0x7f1aa9ea0e50 bp 0x7ffed24fd3f0 sp 0x7ffed24fd300 T0) ==6964==The signal is caused by a READ memory access. #0 0x7f1aa9ea0e4f in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp #1 0x7f1aaad6222c in mozilla::wr::Moz2DRenderCallback(mozilla::Range<unsigned char const>, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::SurfaceFormat, unsigned short const*, mozilla::wr::TypedPoint2D<unsigned short, mozilla::wr::Tiles> const*, mozilla::wr::TypedRect<unsigned int, mozilla::wr::DevicePixel> const*, mozilla::Range<unsigned char>) /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:433:22 #2 0x7f1aaad5dcdc in wr_moz2d_render_cb /home/truber/src/m/u/gfx/webrender_bindings/Moz2DImageRenderer.cpp:473:10 #3 0x7f1ab72d097c in testMoz2DRenderCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/gfx/tests/fuzzing/moz2d/TestMoz2D.cpp:87:3 #4 0x561b752ba864 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13 #5 0x561b7529132f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:280:6 #6 0x561b7529ce61 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/truber/src/m/u/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:703:9 #7 0x7f1ab5d59611 in mozilla::FuzzerRunner::Run(int*, char***) /home/truber/src/m/u/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10 #8 0x7f1ab5c6b695 in XREMain::XRE_mainStartup(bool*) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:3997:35 #9 0x7f1ab5c7f8f3 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:4956:12 #10 0x7f1ab5c8146e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/truber/src/m/u/toolkit/xre/nsAppRunner.cpp:5063:21 #11 0x561b751fe6fc in do_main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:233:22 #12 0x561b751fe6fc in main /home/truber/src/m/u/browser/app/nsBrowserApp.cpp:315 #13 0x7f1acd7ea82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #14 0x561b750fe038 in _start (/home/truber/src/m/u/obj/ff-asan-release/dist/bin/firefox+0x37038) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/truber/src/m/u/gfx/2d/InlineTranslator.cpp in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) ==6964==ABORTING
Priority: -- → P2
Priority: P2 → P3
Priority: P3 → P2
Miko, this should be easy to pick up in between other things.
Assignee: nobody → mikokm
Assignee: mikokm → matt.woodrow
extra_end gets copied to offset, which can be used in the following command (and needs to be sanitized).
Pushed by mwoodrow@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e4571515944b Verify values read from the input, even when we decide we don't need to draw the current command. r=jrmuizel
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Blocks: fuzz-moz2d
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: