1692029 - heap-buffer-overflow in [@ draw_quad]

Status: VERIFIED FIXED

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20210210-ee330ff7f4af.

==10839==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f91665a5520 at pc 0x564ffd4621d7 bp 0x7f91839c1730 sp 0x7f91839c0ef8
READ of size 8 at 0x7f91665a5520 thread T61 (Renderer)
    #0 0x564ffd4621d6 in __asan_memcpy /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x7f91d64211fa in unsigned char vector[8] glsl::Unaligned<unsigned char vector[8]>::load<unsigned int>(unsigned int const*) src/gfx/wr/swgl/src/vector_type.h:464:5
    #2 0x7f91d64211fa in unsigned char vector[8] glsl::unaligned_load<unsigned char vector[8], unsigned int>(unsigned int const*) src/gfx/wr/swgl/src/vector_type.h:493:10
    #3 0x7f91d64211fa in glsl::WidePlanarRGBA8 glsl::textureLinearPlanarRGBA8<glsl::sampler2D_impl*>(glsl::sampler2D_impl*, glsl::ivec2, int) src/gfx/wr/swgl/src/texture.h:534:7
    #4 0x7f91d64211fa in glsl::vec4 glsl::textureLinearRGBA8<glsl::sampler2D_impl*>(glsl::sampler2D_impl*, glsl::vec2, int) src/gfx/wr/swgl/src/texture.h:565:17
    #5 0x7f91d72b69dd in glsl::texture(glsl::sampler2D_impl*, glsl::vec2) src/gfx/wr/swgl/src/texture.h:906:16
    #6 0x7f91d72b69dd in brush_image_ALPHA_PASS_TEXTURE_2D_frag::brush_fs() src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-496c09ed025aaa07/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:873:15
    #7 0x7f91d7280283 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::main() src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-496c09ed025aaa07/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:888:18
    #8 0x7f91d7280283 in brush_image_ALPHA_PASS_TEXTURE_2D_frag::run(brush_image_ALPHA_PASS_TEXTURE_2D_frag*) src/objdir-ff-ubsan/x86_64-unknown-linux-gnu/release/build/swgl-496c09ed025aaa07/out/brush_image_ALPHA_PASS_TEXTURE_2D.h:966:8
    #9 0x7f91da4eb4eb in void glsl::FragmentShaderImpl::run<false>() src/gfx/wr/swgl/src/program.h:137:5
    #10 0x7f91da4eb4eb in _ZL9draw_spanILb0ELb0EjZL15draw_quad_spansIjEviPN4glsl11vec2_scalarEtPNS1_4vec3ER7TextureiS7_RK8ClipRectEUlvE_EvPT1_P8DepthRuniT2_ src/gfx/wr/swgl/src/gl.cc:3800:24
    #11 0x7f91da4eb4eb in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned short, glsl::vec3*, Texture&, int, Texture&, ClipRect const&) src/gfx/wr/swgl/src/gl.cc:4097:9
    #12 0x7f91d63549aa in draw_quad(int, Texture&, int, Texture&) src/gfx/wr/swgl/src/gl.cc:4653:5
    #13 0x7f91d635074d in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, int, Texture&) src/gfx/wr/swgl/src/gl.cc:4701:5
    #14 0x7f91d634f8b5 in DrawElementsInstanced src/gfx/wr/swgl/src/gl.cc:4773:7
    #15 0x7f91d568529c in webrender::renderer::Renderer::draw_instanced_batch::h4e4e574aaa95cece src/gfx/wr/webrender/src/renderer/mod.rs:2475:17
    #16 0x7f91d568ab8b in webrender::renderer::Renderer::draw_alpha_batch_container::hec283d9eb67cf3b7 src/gfx/wr/webrender/src/renderer/mod.rs:2956:17
    #17 0x7f91d5697eda in webrender::renderer::Renderer::draw_picture_cache_target::had4b620e463498f4 src/gfx/wr/webrender/src/renderer/mod.rs:2790:9
    #18 0x7f91d5697eda in webrender::renderer::Renderer::draw_frame::h19ea5a888d00bc99 src/gfx/wr/webrender/src/renderer/mod.rs:4433:21
    #19 0x7f91d567d180 in webrender::renderer::Renderer::render_impl::hac6c281ccd83bf2e src/gfx/wr/webrender/src/renderer/mod.rs:2120:17
    #20 0x7f91d567a9b5 in webrender::renderer::Renderer::render::hd7ea4053826959c7 src/gfx/wr/webrender/src/renderer/mod.rs:1856:30
    #21 0x7f91d551ac44 in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:634:11
    #22 0x7f91bdb06401 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #23 0x7f91bdb03e1c in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:481:31
    #24 0x7f91bdb0262e in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:337:3
    #25 0x7f91bdb51828 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool>, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> >&, std::integer_sequence<unsigned long, 0ul, 1ul>) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1148:12
    #26 0x7f91bdb5148f in decltype(applyImpl(fp, fp0, *(this).mArguments, std::integer_sequence<unsigned long, 0ul, 1ul>{})) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, bool>::apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1154:12
    #27 0x7f91bdb50f89 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:1201:13
    #28 0x7f91b9cee34e in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:468:11
    #29 0x7f91b9cef9b9 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:477:5
    #30 0x7f91b9ceffac in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:552:13
    #31 0x7f91b9cf1ed7 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
    #32 0x7f91b9cedd3f in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
    #33 0x7f91b9cedc94 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:328:3
    #34 0x7f91b9cedc01 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
    #35 0x7f91b9d4db9a in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
    #36 0x7f91b9d022b8 in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #37 0x7f91f05966da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
    #38 0x7f91ef574a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7f91665a5520 is located 4832 bytes to the left of 1048576-byte region [0x7f91665a6800,0x7f91666a6800)
freed by thread T0 here:
    #0 0x564ffd462afd in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f91b74ab172 in nsStringBuffer::Release() src/xpcom/string/nsSubstring.cpp:193:5
    #2 0x7f91b74aac3d in ReleaseData(void*, mozilla::detail::StringDataFlags) src/xpcom/string/nsSubstring.cpp:110:38
    #3 0x7f91b74c8214 in nsTSubstring<char>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) src/xpcom/string/nsTSubstring.cpp:247:5
    #4 0x7f91b74d65f4 in nsTSubstring<char>::SetLength(unsigned int, std::nothrow_t const&) src/xpcom/string/nsTSubstring.cpp:936:7
    #5 0x7f91cffe748b in mozilla::Result<nsTString<char>, nsresult> mozilla::EncodeLZ4<char [16]>(nsTSubstring<char> const&, char const (&) [16]) src/toolkit/mozapps/extensions/AddonManagerStartup.cpp:194:15
    #6 0x7f91cffe68a2 in mozilla::AddonManagerStartup::EncodeBlob(JS::Handle<JS::Value>, JSContext*, JS::MutableHandle<JS::Value>) src/toolkit/mozapps/extensions/AddonManagerStartup.cpp:554:3
    #7 0x7f91b7a4fdfd in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #8 0x7f91bba3bcb9 in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #9 0x7f91bba3bcb9 in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #10 0x7f91bba3bcb9 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #11 0x7f91bba415a3 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925:10
    #12 0x7f91d0637b65 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:435:13
    #13 0x7f91d0637b65 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
    #14 0x7f91d0639073 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
    #15 0x7f91d0638d01 in js::CallFromStack(JSContext*, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:584:10
    #16 0x7f91d060bed0 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
    #17 0x7f91d05c91b0 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
    #18 0x7f91d063813b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
    #19 0x7f91d0639073 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
    #20 0x7f91d063932a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
    #21 0x7f91d198e220 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2861:10
    #22 0x7f91c0bb3211 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) src/objdir-ff-ubsan/dom/bindings/WindowBinding.cpp:871:8

previously allocated by thread T0 here:
    #0 0x564ffd462d7d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f91b74ab4ab in nsStringBuffer::Alloc(unsigned long) src/xpcom/string/nsSubstring.cpp:206:42
    #2 0x7f91b74c767f in nsTSubstring<char>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) src/xpcom/string/nsTSubstring.cpp:202:32
    #3 0x7f91b74d65f4 in nsTSubstring<char>::SetLength(unsigned int, std::nothrow_t const&) src/xpcom/string/nsTSubstring.cpp:936:7
    #4 0x7f91cffe731a in mozilla::Result<nsTString<char>, nsresult> mozilla::EncodeLZ4<char [16]>(nsTSubstring<char> const&, char const (&) [16]) src/toolkit/mozapps/extensions/AddonManagerStartup.cpp:187:15
    #5 0x7f91cffe68a2 in mozilla::AddonManagerStartup::EncodeBlob(JS::Handle<JS::Value>, JSContext*, JS::MutableHandle<JS::Value>) src/toolkit/mozapps/extensions/AddonManagerStartup.cpp:554:3
    #6 0x7f91b7a4fdfd in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #7 0x7f91bba3bcb9 in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #8 0x7f91bba3bcb9 in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #9 0x7f91bba3bcb9 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #10 0x7f91bba415a3 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925:10
    #11 0x7f91d0637b65 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:435:13
    #12 0x7f91d0637b65 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
    #13 0x7f91d0639073 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
    #14 0x7f91d0638d01 in js::CallFromStack(JSContext*, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:584:10
    #15 0x7f91d060bed0 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
    #16 0x7f91d05c91b0 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
    #17 0x7f91d063813b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
    #18 0x7f91d0639073 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
    #19 0x7f91d063932a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
    #20 0x7f91d198e220 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2861:10
    #21 0x7f91c0bb3211 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) src/objdir-ff-ubsan/dom/bindings/WindowBinding.cpp:871:8
    #22 0x7f91be390aad in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/objdir-ff-ubsan/dist/include/mozilla/dom/WindowBinding.h:783:12

Thread T61 (Renderer) created by T0 here:
    #0 0x564ffd44d7ea in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f91b9cfb9c2 in (anonymous namespace)::CreateThread(unsigned long, bool, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f91b9cfb7f9 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f91b9d4cd09 in base::Thread::StartWithOptions(base::Thread::Options const&) src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f91bdafdc01 in mozilla::wr::RenderThread::Start() src/gfx/webrender_bindings/RenderThread.cpp:90:16
    #5 0x7f91bd6ca72b in gfxPlatform::InitLayersIPC() src/gfx/thebes/gfxPlatform.cpp:1353:7
    #6 0x7f91bd6c6efc in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:994:3
    #7 0x7f91bd6c5695 in gfxPlatform::GetPlatform() src/gfx/thebes/gfxPlatform.cpp:515:5
    #8 0x7f91c6c1edae in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) src/widget/GfxInfoBase.cpp:1763:25
    #9 0x7f91b7a4fdfd in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7f91bba3bcb9 in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
    #11 0x7f91bba3bcb9 in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7f91bba3bcb9 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7f91bba7ca59 in XPCWrappedNative::GetAttribute(XPCCallContext&) src/js/xpconnect/src/xpcprivate.h:1468:12
    #14 0x7f91bba427a2 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7f91d0637b65 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:435:13
    #16 0x7f91d0637b65 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
    #17 0x7f91d0639073 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
    #18 0x7f91d063932a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
    #19 0x7f91d063c145 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:721:10
    #20 0x7f91d12583b8 in CallGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2104:12
    #21 0x7f91d123e230 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) src/js/src/vm/NativeObject.cpp:2134:12
    #22 0x7f91d123e230 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) src/js/src/vm/NativeObject.cpp:2279:14
    #23 0x7f91d123e230 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2316:10
    #24 0x7f91d067bc2f in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7f91d0605198 in js::GetObjectElementOperation(JSContext*, JSOp, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter-inl.h:452:10
    #26 0x7f91d0605198 in js::GetElementOperationWithStackIndex(JSContext*, JS::Handle<JS::Value>, int, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter-inl.h:559:10
    #27 0x7f91d0605198 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3050:14
    #28 0x7f91d05c91b0 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
    #29 0x7f91d063813b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
    #30 0x7f91d0639073 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
    #31 0x7f91d063932a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
    #32 0x7f91d198ca42 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2798:10
    #33 0x7f91bba2a5bd in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
    #34 0x7f91b7a526a1 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7f91b7a50b3a in SharedStub (src/objdir-ff-ubsan/dist/bin/libxul.so+0xea42b3a)
    #36 0x7f91b78e7442 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) src/xpcom/components/nsCategoryManager.cpp:686:19
    #37 0x7f91d008fbdd in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:1003:11
    #38 0x7f91d004c7b1 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4980:18
    #39 0x7f91d004fbfa in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5438:8
    #40 0x7f91d0050233 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5501:21
    #41 0x7f91d007f106 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12
    #42 0x564ffd497728 in do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:220:22
    #43 0x564ffd4961f2 in main src/browser/app/nsBrowserApp.cpp:344:16
    #44 0x7f91ef474b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/rOGwS1JspyHfxR7fbOm9dQ/index.html

Comment 2

[Tyson Smith [:tsmith]]

Attachment: test.gif

Comment 3

[Lee Salzman [:lsalzman]]

It looks like the main feature of this gif is that it is 49K pixels tall. SWGL imposes a limit on texture sizes that is 32K per dimension, which is similar to the limit that Skia also imposes on surface sizes (32K). So a bigger question is how/where/why this is getting passed along to us, and where is the appropriate place to intervene in that...

Comment 4

[Brad Werth [:bradwerth]]

I'll try to fix this.

Comment 5

[Brad Werth [:bradwerth]]

Attachment: tall_gradient.gif

This is a color gradient version of the test.gif, same size.

Comment 6

[Brad Werth [:bradwerth]]

Interestingly, with the tall_gradient.gif image, the crash does not occur. Investigation shows that the surface is pre-scaled to window dimensions by the time it hits RenderBufferTextureHostSWGL::MapPlane. Not clear to me why the original test.gif surface is propagated at full size, leading to the crash.

Comment 7

[Brad Werth [:bradwerth]]

(In reply to Brad Werth [:bradwerth] from comment #6)

Interestingly, with the tall_gradient.gif image, the crash does not occur. Investigation shows that the surface is pre-scaled to window dimensions by the time it hits RenderBufferTextureHostSWGL::MapPlane. Not clear to me why the original test.gif surface is propagated at full size, leading to the crash.

This difference is because tall_gradient.gif is not animated and so therefore RasterImage::CanDownscaleDuringDecode decides it can be downscaled during decode.

Comment 8

[Brad Werth [:bradwerth]]

Attachment: Bug 1692029 Part 1: Make TextureHost report a native texture policy.

Comment 9

[Brad Werth [:bradwerth]]

https://treeherder.mozilla.org/jobs?repo=try&revision=704755ca63c9cef1350b6428decbadc03e3c04db

Comment 10

[Brad Werth [:bradwerth]]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e62a024028f677ab74c9336f0d25ffd162c3b000

Comment 11

[Brad Werth [:bradwerth]]

Bug 1692815 is possibly another occurrence of this.

Comment 12

[Brad Werth [:bradwerth]]

Comment on attachment 9205595 [details]
Bug 1692029 Part 1: Make TextureHost report a native texture policy.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Easy to trigger a crash, not easy to trigger an exploit.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: Will not be difficult.
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely. Software Webrender is only enabled by default in early beta on linux and Windows 7.

Comment 13

[Daniel Veditz [:dveditz]]

(In reply to Brad Werth [:bradwerth] from comment #12)

• Which older supported branches are affected by this flaw?: all
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely. Software Webrender is only enabled by default in early beta on linux and Windows 7.

Those answers seem to be in conflict. There's no mention of software WR in the esr-78 code so it doesn't appear to need patching. If it's only available in early beta then I guess we don't need to uplift a patch to beta for 87?

Comment 14

[Daniel Veditz [:dveditz]]

Comment on attachment 9205595 [details]
Bug 1692029 Part 1: Make TextureHost report a native texture policy.

sec-approval=dveditz

Comment 15

[Brad Werth [:bradwerth]]

(In reply to Daniel Veditz [:dveditz] from comment #13)

(In reply to Brad Werth [:bradwerth] from comment #12)

• Which older supported branches are affected by this flaw?: all
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely. Software Webrender is only enabled by default in early beta on linux and Windows 7.

Those answers seem to be in conflict. There's no mention of software WR in the esr-78 code so it doesn't appear to need patching. If it's only available in early beta then I guess we don't need to uplift a patch to beta for 87?

Good point. I'm not sure which older branches have support for software WebRender. Any of them that do are vulnerable to this bug. But it's only the early beta linux and win7 builds which have the feature on by default.

Comment 16

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Backed out for causing bustages in RenderTextureHostSWGL.cpp in cppunit(non-unified) tests:

https://hg.mozilla.org/integration/autoland/rev/63809c95d719408daf73f9777a8c60c4cdbf3b2d

Log: https://treeherder.mozilla.org/logviewer?job_id=332639248&repo=autoland

/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:117:3: error: use of undeclared identifier 'TextureHost'; did you mean 'layers::TextureHost'?
/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:117:3: error: incomplete type 'mozilla::layers::TextureHost' named in nested name specifier
/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:118:7: error: use of undeclared identifier 'TextureHost'; did you mean 'layers::TextureHost'?
/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:118:7: error: incomplete type 'mozilla::layers::TextureHost' named in nested name specifier
/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:118:47: error: use of undeclared identifier 'WebRenderBackend'; did you mean 'layers::WebRenderBackend'?
/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:120:20: error: use of undeclared identifier 'TextureHost'; did you mean 'layers::TextureHost'?
/builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:120:20: error: incomplete type 'mozilla::layers::TextureHost' named in nested name specifier

Comment 17

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Backed out for bustages in RenderTextureHostSWGL.cpp

https://hg.mozilla.org/integration/autoland/rev/69e9cab9c22d541fdb47e4985324cba78c981f5e

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&revision=b0b87c410435ea484f96325e5f9153222732c7df

Log: https://treeherder.mozilla.org/logviewer?job_id=332720842&repo=autoland

One failure left: /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderTextureHostSWGL.cpp:120:11: error: use of undeclared identifier 'WebRenderBackend'; did you mean 'layers::WebRenderBackend'?

Comment 18

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Part 1: Make TextureHost report a native texture policy. r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/0bf029eb5afa61036d619a1ec6a5cce42995bed1
https://hg.mozilla.org/mozilla-central/rev/0bf029eb5afa

Comment 19

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Comment 20

[Rares Doghi, Desktop QA]

Hi, I was able to reproduce this issue in an older version of Firefox debug Fuzzing build on Ubuntu 18.04, the moment I would load the test.gif the browser would just crash, This issue no longer occurs with our latest builds.

Please note that this issue did not occur in normal builds, I was only able to reproduce the issue in Debug Fuzzin builds,