Closed Bug 1636403 Opened 4 years ago Closed 4 years ago

AddressSanitizer: attempting double-free on 0x614000105240 [@ free] in libfontconfig.so

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1633467
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression)

Attachments

(1 file)

Detailed Crash Information
5.74 KB, text/plain
Details

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 78.0a1-20200506215114-https://hg.mozilla.org/mozilla-central/rev/93a33cb7f2369ac4f1d1f2ac97ec14ba60e1e7d7.

For detailed crash information, see attachment.

This is a double-free inside libfontconfig.so, we should try to get the exact location to determine if this is a library problem or a problem with how we use it.

@Original Reporter: Can you please provide exact information about your Linux distribution and the exact version of your libfontconfig package? You can also try to install debug symbols for that package yourself and symbolize the missing frames using addr2line. Don't perform any upgrades to the package itself, it might make it impossible to get the exact location of the double free. Getting this information should help us to determine if this is a third-party bug or a bug in how we use the library.

Flags: needinfo?(phil)

I had already deleted the nightly in question, so wasn’t able to fill in the symbols. Instead,
https://crash-stats.mozilla.org/report/index/45b042bc-067a-438e-b211-0fb060200508
is a crash from the latest nightly with fontconfig symbols installed locally & appears to have line numbers for all libraries.

Linux distribution is (I’m afraid) a Debian testing/unstable mix.

$ dpkg -s libfontconfig1:amd64
...
Version: 2.13.1-4

Let me know if I can provide anything else.

NB. Is there some way I could have attached gdb & halted at the crash point? I don’t seem to be able to turn off the crash reporter at all.

Flags: needinfo?(phil)

Although my understanding from poking about online is that this is a fontconfig bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959800

Here’s the corresponding source line from the Debian sources: https://sources.debian.org/src/fontconfig/2.13.1-4/src/fcfreetype.c/#L2125

Can we mark this as a duplicate of bug 1633467?

(In reply to Julien Cristau [:jcristau] from comment #6)

Can we mark this as a duplicate of bug 1633467?

Sgtm!

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: