Closed Bug 1605554 Opened 6 years ago Closed 6 years ago

Use after free in GetSkImageForSurface

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: alexhenrie24, Assigned: alexhenrie24)

Details

Attachments

(1 file)

Bug 1605554 - Fix use after free in GetSkImageForSurface.
47 bytes, text/x-phabricator-request
Details | Review

GetSkImageForSurface currently says:

sk_sp<SkImage> image =
    SkImage::MakeFromRaster(pixmap, ReleaseTemporarySurface, surf);
if (!image) {
  ReleaseTemporarySurface(nullptr, surf);
  gfxDebug() << "Failed making Skia raster image for temporary surface";
}

// Skia doesn't support RGBX surfaces so ensure that the alpha value is opaque
// white.
MOZ_ASSERT(VerifyRGBXCorners(surf->GetData(), surf->GetSize(), surf->Stride(),
                             surf->GetFormat(), aBounds, aMatrix));

If image is NULL, surf is an invalid pointer and the function can crash while evaluating the arguments to VerifyRGBXCorners. I believe this has been a problem ever since the assertion was added in July 2016 as part of the fix for Bug 1279063.

Assignee: nobody → alexhenrie24
Status: NEW → ASSIGNED
Pushed by ccoroiu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9e60c8fbb6ec Fix use after free in GetSkImageForSurface. r=lsalzman

https://hg.mozilla.org/mozilla-central/rev/9e60c8fbb6ec

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: