Closed
Bug 1696816
(CVE-2021-29972)
Opened 3 years ago
Closed 3 years ago
AddressSanitizer: heap-use-after-free [@ _pixman_image_validate] when print or save to PDF
Categories
(Core :: Graphics, task)
Core
Graphics
Tracking
()
VERIFIED
FIXED
90 Branch
People
(Reporter: sourc7, Assigned: jfkthame)
References
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: [fixed by Cairo update][reporter-external] [client-bounty-form] [verif?][adv-main90+])
Attachments
(4 files)
By set CSS universal selector * with property clip-path: polygon <clip-source> and <basic-shape> with value more than or equal to 13 then add mix-blend-mode: soft-light to the selector. After print the web pages dialog show then Save to PDF, the entire browser is crashed with heap-use-after-free.
Affected version:
- Firefox Nightly 88.0a1 (2021-03-07) (64-bit) on Arch Linux and Windows 10
- Firefox Release 86.0 (64-bit)
- Firefox ESR 78.8.0esr (64-bit)
Steps to reproduce:
- Visit attached testcase.html
- When print dialog show, select Destination "Save to PDF" (default on my desktop) or "Print to File" (on Firefox ESR Linux)
- Click "Save" or "Print"
- Browser crashed
ASAN output:
=================================================================
==551946==ERROR: AddressSanitizer: heap-use-after-free on address 0x612004964470 at pc 0x7fdb24e356a1 bp 0x7ffe4fc02a20 sp 0x7ffe4fc02a18
READ of size 4 at 0x612004964470 thread T0
#0 0x7fdb24e356a0 in _pixman_image_validate /home/sourc7/git/gecko-dev-asan/gfx/cairo/libpixman/src/pixman-image.c:549:23
#1 0x7fdb24eac48f in _moz_pixman_image_composite32 /home/sourc7/git/gecko-dev-asan/gfx/cairo/libpixman/src/pixman.c:587:2
#2 0x7fdb24ca6a43 in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3051:3
#3 0x7fdb24ca6a43 in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#4 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#5 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#6 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#7 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#8 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#9 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#10 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#11 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#12 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#13 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#14 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#15 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#16 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#17 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#18 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#19 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#20 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#21 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#22 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#23 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#24 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#25 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#26 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#27 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#28 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#29 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#30 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#31 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#32 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#33 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#34 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#35 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#36 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#37 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#38 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#39 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#40 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#41 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#42 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#43 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#44 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#45 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#46 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#47 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#48 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#49 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#50 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#51 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#52 0x7fdb24cb0bd4 in _paint_fallback_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-paginated-surface.c:268:14
#53 0x7fdb24cb06d9 in _paint_page /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-paginated-surface.c:404:15
#54 0x7fdb24cafb58 in _cairo_paginated_surface_show_page /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-paginated-surface.c:466:14
#55 0x7fdb24d1d1e1 in _moz_cairo_surface_show_page /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2541:21
#56 0x7fdb1c3e6e3f in mozilla::gfx::PrintTargetPDF::EndPage() /home/sourc7/git/gecko-dev-asan/gfx/thebes/PrintTargetPDF.cpp:63:3
#57 0x7fdb1bb67e4d in nsDeviceContext::EndPage() /home/sourc7/git/gecko-dev-asan/gfx/src/nsDeviceContext.cpp:581:31
#58 0x7fdb23c9e733 in PrintPage /home/sourc7/git/gecko-dev-asan/layout/printing/ipc/RemotePrintJobParent.cpp:171:29
#59 0x7fdb23c9e733 in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(nsRefCountedHashtable<nsUint64HashKey, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /home/sourc7/git/gecko-dev-asan/layout/printing/ipc/RemotePrintJobParent.cpp:146:17
#60 0x7fdb23c9e39c in mozilla::layout::RemotePrintJobParent::RecvProcessPage(nsTArray<unsigned long>&&) /home/sourc7/git/gecko-dev-asan/layout/printing/ipc/RemotePrintJobParent.cpp:121:5
#61 0x7fdb1acdad14 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /home/sourc7/git/gecko-dev-asan/objdir-ff-asan/ipc/ipdl/PRemotePrintJobParent.cpp:301:28
#62 0x7fdb1a64e158 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /home/sourc7/git/gecko-dev-asan/objdir-ff-asan/ipc/ipdl/PContentParent.cpp:6730:32
#63 0x7fdb1a295159 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/sourc7/git/gecko-dev-asan/ipc/glue/MessageChannel.cpp:2157:25
#64 0x7fdb1a290543 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/sourc7/git/gecko-dev-asan/ipc/glue/MessageChannel.cpp:2081:9
#65 0x7fdb1a2929e2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/sourc7/git/gecko-dev-asan/ipc/glue/MessageChannel.cpp:1929:3
#66 0x7fdb1a29385b in mozilla::ipc::MessageChannel::MessageTask::Run() /home/sourc7/git/gecko-dev-asan/ipc/glue/MessageChannel.cpp:1960:13
#67 0x7fdb18b9ce61 in mozilla::RunnableTask::Run() /home/sourc7/git/gecko-dev-asan/xpcom/threads/TaskController.cpp:472:16
#68 0x7fdb18b925e7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /home/sourc7/git/gecko-dev-asan/xpcom/threads/TaskController.cpp:760:26
#69 0x7fdb18b8f635 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /home/sourc7/git/gecko-dev-asan/xpcom/threads/TaskController.cpp:611:15
#70 0x7fdb18b8fbc8 in mozilla::TaskController::ProcessPendingMTTask(bool) /home/sourc7/git/gecko-dev-asan/xpcom/threads/TaskController.cpp:395:36
#71 0x7fdb18b93c74 in operator() /home/sourc7/git/gecko-dev-asan/xpcom/threads/TaskController.cpp:136:37
#72 0x7fdb18b93c74 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /home/sourc7/git/gecko-dev-asan/xpcom/threads/nsThreadUtils.h:534:5
#73 0x7fdb18bc036a in nsThread::ProcessNextEvent(bool, bool*) /home/sourc7/git/gecko-dev-asan/xpcom/threads/nsThread.cpp:1158:16
#74 0x7fdb18bcbc51 in NS_ProcessNextEvent(nsIThread*, bool) /home/sourc7/git/gecko-dev-asan/xpcom/threads/nsThreadUtils.cpp:548:10
#75 0x7fdb1a29f483 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/sourc7/git/gecko-dev-asan/ipc/glue/MessagePump.cpp:109:5
#76 0x7fdb1a1081e1 in RunInternal /home/sourc7/git/gecko-dev-asan/ipc/chromium/src/base/message_loop.cc:335:10
#77 0x7fdb1a1081e1 in RunHandler /home/sourc7/git/gecko-dev-asan/ipc/chromium/src/base/message_loop.cc:328:3
#78 0x7fdb1a1081e1 in MessageLoop::Run() /home/sourc7/git/gecko-dev-asan/ipc/chromium/src/base/message_loop.cc:310:3
#79 0x7fdb22a364ba in nsBaseAppShell::Run() /home/sourc7/git/gecko-dev-asan/widget/nsBaseAppShell.cpp:137:27
#80 0x7fdb26fd1379 in nsAppStartup::Run() /home/sourc7/git/gecko-dev-asan/toolkit/components/startup/nsAppStartup.cpp:271:30
#81 0x7fdb2727ea23 in XREMain::XRE_mainRun() /home/sourc7/git/gecko-dev-asan/toolkit/xre/nsAppRunner.cpp:5351:22
#82 0x7fdb2728107b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/sourc7/git/gecko-dev-asan/toolkit/xre/nsAppRunner.cpp:5543:8
#83 0x7fdb27281b95 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/sourc7/git/gecko-dev-asan/toolkit/xre/nsAppRunner.cpp:5606:21
#84 0x55b255d1a773 in do_main /home/sourc7/git/gecko-dev-asan/browser/app/nsBrowserApp.cpp:220:22
#85 0x55b255d1a773 in main /home/sourc7/git/gecko-dev-asan/browser/app/nsBrowserApp.cpp:347:16
#86 0x7fdb34722b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#87 0x55b255c6d8fd in _start (/home/sourc7/git/gecko-dev-asan/objdir-ff-asan/dist/bin/firefox+0xbf8fd)
0x612004964470 is located 48 bytes inside of 264-byte region [0x612004964440,0x612004964548)
freed by thread T0 here:
#0 0x55b255ce74ed in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x7fdb24e34719 in _moz_pixman_image_unref /home/sourc7/git/gecko-dev-asan/gfx/cairo/libpixman/src/pixman-image.c:213:2
#2 0x7fdb24c92ae4 in _cairo_image_surface_finish /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:729:2
#3 0x7fdb24d18694 in _moz_cairo_surface_finish /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:728:11
#4 0x7fdb24d0f394 in _moz_cairo_surface_destroy /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:649:2
#5 0x7fdb24c5e803 in _cairo_clip_drop_cache /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-clip.c:1303:6
#6 0x7fdb24ce5e9f in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:987:2
#7 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#8 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#9 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#10 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#11 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#12 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#13 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#14 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#15 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#16 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#17 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#18 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#19 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#20 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#21 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#22 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#23 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#24 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#25 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#26 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#27 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#28 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#29 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#30 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#31 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#32 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#33 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#34 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#35 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#36 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#37 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#38 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
previously allocated by thread T0 here:
#0 0x55b255ce776d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x7fdb24e34740 in _pixman_image_allocate /home/sourc7/git/gecko-dev-asan/gfx/cairo/libpixman/src/pixman-image.c:184:29
#2 0x7fdb24d675f7 in create_bits_image_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/libpixman/src/pixman-bits-image.c:1340:13
#3 0x7fdb24c92070 in _cairo_image_surface_create_with_pixman_format /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:329:20
#4 0x7fdb24d125b2 in _cairo_surface_create_similar_scratch /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:465:15
#5 0x7fdb24c5d633 in _cairo_clip_path_get_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-clip.c:984:15
#6 0x7fdb24ca6377 in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3013:21
#7 0x7fdb24ca6377 in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#8 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#9 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#10 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#11 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#12 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#13 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#14 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#15 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#16 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#17 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#18 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#19 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#20 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#21 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#22 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#23 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#24 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#25 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#26 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#27 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
#28 0x7fdb24ca678b in _composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3029:12
#29 0x7fdb24ca678b in _clip_and_composite_boxes /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3090:14
#30 0x7fdb24c953b4 in _cairo_image_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:3338:11
#31 0x7fdb24d0effe in _cairo_surface_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:2110:11
#32 0x7fdb24c1cafd in _cairo_surface_wrapper_paint /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface-wrapper.c:148:14
#33 0x7fdb24ce55ed in _cairo_recording_surface_replay_internal /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:855:15
#34 0x7fdb24cfd1cd in _cairo_recording_surface_replay /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:1011:12
#35 0x7fdb24cfd1cd in _cairo_recording_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-recording-surface.c:278:14
#36 0x7fdb24d0e8fd in _cairo_surface_acquire_source_image /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-surface.c:1452:14
#37 0x7fdb24c9edd5 in _pixman_image_for_surface /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1515:11
#38 0x7fdb24c9edd5 in _pixman_image_for_pattern /home/sourc7/git/gecko-dev-asan/gfx/cairo/cairo/src/cairo-image-surface.c:1693:9
SUMMARY: AddressSanitizer: heap-use-after-free /home/sourc7/git/gecko-dev-asan/gfx/cairo/libpixman/src/pixman-image.c:549:23 in _pixman_image_validate
Shadow bytes around the buggy address:
0x0c2480924830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2480924840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2480924850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2480924860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2480924870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2480924880: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
0x0c2480924890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c24809248a0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c24809248b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c24809248c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c24809248d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==551946==ABORTING
Flags: sec-bounty?
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
It turns out that holding down the "enter" key it able to pass the print dialog then Save to PDF, so it straightforward way to trigger the crash.
|
||
Updated•3 years ago
|
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics
Product: Firefox → Core
|
|
Reporter | |
Comment 3•3 years ago
|
||
|
||
Comment 4•3 years ago
|
||
Those stacks are really deep in Cairo. I tried to look the stacks but I couldn't make much sense of them.
Requiring a save to PDF maybe mitigates it a little bit, but it still sounds bad. It looks like cairo-recording-surface.c was last updated in 2012.
Keywords: csectype-uaf
Summary: AddressSanitizer: heap-use-after-free [@ _pixman_image_validate] → AddressSanitizer: heap-use-after-free [@ _pixman_image_validate] when saving to PDF
|
||
Comment 5•3 years ago
|
||
Jonathan is working on a cairo update atm iirc.
|
|
||
Updated•3 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•3 years ago
|
Keywords: sec-moderate
|
|
Reporter | |
Comment 7•3 years ago
|
||
Update: I can also reproduce this crashes when print destinations other than "Save to PDF" (e.g. Microsoft Print to PDF, Fax, OneNote)
|
|
Reporter | |
Updated•3 years ago
|
Summary: AddressSanitizer: heap-use-after-free [@ _pixman_image_validate] when saving to PDF → AddressSanitizer: heap-use-after-free [@ _pixman_image_validate] when print or save to PDF
|
Assignee | |
Comment 8•3 years ago
|
||
I can confirm this reproduces in a local ASAN build of mozilla-central; but it does not reproduce with my current patch stack to update to cairo-1.17.4+. So bug 739096 should resolve this.
|
|
||
Updated•3 years ago
|
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][fixed by Cairo update]
|
||
Comment 9•3 years ago
|
||
Looks like this was indeed fixed by bug 739096. It was last found by the fuzzer while fuzzing m-c 20210427-3009bdef939c.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 10•3 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #9)
Looks like this was indeed fixed by bug 739096. It was last found by the fuzzer while fuzzing m-c 20210427-3009bdef939c.
Thanks Tyson, I also confirmed that I no longer able to reproduce this in Firefox 90.0a1 (2021-05-06) (64-bit).
Status: RESOLVED → VERIFIED
|
|
||
Updated•3 years ago
|
Depends on: 739096
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][fixed by Cairo update] → [fixed by Cairo update][reporter-external] [client-bounty-form] [verif?]
|
||
Updated•3 years ago
|
Assignee: nobody → jfkthame
Group: gfx-core-security → core-security-release
status-firefox88:
--- → wontfix
status-firefox89:
--- → wontfix
status-firefox90:
--- → fixed
status-firefox-esr78:
--- → wontfix
Target Milestone: --- → 90 Branch
|
||
Updated•3 years ago
|
Whiteboard: [fixed by Cairo update][reporter-external] [client-bounty-form] [verif?] → [fixed by Cairo update][reporter-external] [client-bounty-form] [verif?][adv-main90+]
|
|
||
Comment 11•3 years ago
|
||
|
|
||
Updated•3 years ago
|
Alias: CVE-2021-29972
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•