Closed Bug 1631187 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::gfx::SourceSurfaceCapture::IsValid]

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect, P2)

Product:
Core
Component:
Layout: Images, Video, and HTML Frames
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 78+ fixed
firefox75 --- unaffected
firefox76 --- unaffected
firefox77 --- wontfix
firefox78 + fixed
firefox79 + fixed

People

(Reporter: calixte, Assigned: bobowen)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main78+r])

Crash Data

This bug is for crash report bp-3e6c3946-5892-4bd5-a913-54ade0200417.

Top 10 frames of crashing thread:

0 xul.dll mozilla::gfx::SourceSurfaceCapture::IsValid const gfx/2d/SourceSurfaceCapture.cpp
1 xul.dll mozilla::image::DrawableFrameRef::DrawableFrameRef image/imgFrame.h:349
2 xul.dll mozilla::image::DecodedSurfaceProvider::DrawableRef image/DecodedSurfaceProvider.cpp:68
3 xul.dll mozilla::image::ISurfaceProvider::Surface image/ISurfaceProvider.h:268
4 xul.dll mozilla::image::SurfaceCacheImpl::LookupBestMatch image/SurfaceCache.cpp:1008
5 xul.dll static mozilla::image::SurfaceCache::LookupBestMatch image/SurfaceCache.cpp:1593
6 xul.dll mozilla::image::RasterImage::LookupFrameInternal image/RasterImage.cpp:317
7 xul.dll mozilla::image::RasterImage::LookupFrame image/RasterImage.cpp:343
8 xul.dll mozilla::image::RasterImage::RequestDecodeForSizeInternal image/RasterImage.cpp:1155
9 xul.dll mozilla::image::RasterImage::RequestDecodeForSize image/RasterImage.cpp:1121

There are 4 crashes (from 3 installations) in nightly 77 starting with buildid 20200417100143. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1616411.

[1] https://hg.mozilla.org/mozilla-central/rev?node=747bdbeee667

Flags: needinfo?(cam)

We're crashing in SourceSurfaceCapture::IsValid as we try to call mSurfToOptimize->IsValid() but the vtable pointer we pull out from mSurfToOptimize is garbage (0xe5e5e5e5c8800000, in this case). The mSurfToOptimize pointer itself looks like it could have been legitimate.

Flags: needinfo?(cam)

Any idea how I might dig into this Timothy?

Flags: needinfo?(tnikkel)
Flags: needinfo?(aosmond)

Given this is a crash on Windows, without WebRender, mSurfToOptimize is most likely a SourceSurfaceVolatileData:

https://searchfox.org/mozilla-central/rev/a4d62e09a4c46aef918667fa759bf9ae898dc258/image/imgFrame.cpp#112

Neither SourceSurfaceVolatileData nor SourceSurfaceAlignedRawData override SourceSurface::IsValid. They use the implementation from the base class SourceSurface which just returns true:

https://searchfox.org/mozilla-central/rev/a4d62e09a4c46aef918667fa759bf9ae898dc258/gfx/2d/2D.h#432

We put the SourceSurfaceVolatileData stored in mLockedSurface into a SourceSurfaceCapture here:

https://searchfox.org/mozilla-central/rev/a4d62e09a4c46aef918667fa759bf9ae898dc258/image/imgFrame.cpp#495

There are locks surrounding the use of both mLockedSurface and mSurfToOptimize. Maybe that is relevant (a place we forgot to hold the lock?).

I skimmed the reviews for the potential regressing bug, but nothing stood out for me....

Flags: needinfo?(aosmond)
Severity: -- → critical
Priority: -- → P1

Hey Cameron, should this one still be a P1?

Flags: needinfo?(cam)

the address in comment 1 suggests uaf?

Group: layout-core-security

Setting to P2 due to low volume. We will keep an eye on it and if crash volume goes up we can reassess.

Flags: needinfo?(tnikkel)
Priority: P1 → P2
See Also: → 1631188

These are current, open bugs with a Severity of critical. The Severity of these bugs is being changed to S2 to be consistent with the May 4 2020 Severity definitions.

Please let Release Management know if these bugs are still S2.

Severity: critical → S2

I'm leaving this at S2, but I haven't had any luck investigating it yet. I tried a few URLs from crash reports but didn't reproduce the crash. Of those I looked at, none had JPEGs with orientations.

Flags: needinfo?(cam)

[Tracking Requested - why for this release]:
this signature is jumping up in volume in early data from the 78.0b rollout.

status-firefox78: fix-optionalaffected
tracking-firefox78: --- → ?

Cameron, any chance you could take another look?

tracking-firefox78: ?+
Flags: needinfo?(cam)

Maybe bug 1644208 fixes this?

(In reply to Timothy Nikkel (:tnikkel) from comment #11)

Maybe bug 1644208 fixes this?

Sure looks like it! No crashes in 78.0b6+ where that fix is present.

Assignee: nobody → bobowencode
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox78: affectedfixed
status-firefox79: fix-optionalfixed
status-firefox-esr78: --- → fixed
tracking-firefox79: --- → +
tracking-firefox-esr78: --- → 78+
Depends on: 1644208
Flags: needinfo?(cam)
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main78+r]
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.