Closed Bug 1850064 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-buffer-overflow [@ mozilla::gfx::PathOps::StreamToSink] with READ of size 4

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1846685
Tracking Flags:
Tracking Status
firefox118 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, pernosco, testcase, Whiteboard: [fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
11.10 KB, text/plain
Details
Testcase
37.74 KB, application/octet-stream
Details
crash.cpp
231.48 KB, text/x-c++src
Details

The attached testcase crashes on mozilla-central revision 20230824-014c9a0ccc44 (build with --enable-fuzzing & moz2d target patch).

For detailed crash information, see attachment.

To reproduce the issue:

  1. Build an ASan --enable-fuzzing build including gtests with https://phabricator.services.mozilla.com/D186833 applied.
  2. Run FUZZER=Moz2D objdir/dist/bin/firefox test.bin
Attached file Testcase
Attached file crash.cpp

Decoded test.bin call.

A Pernosco session is available here: https://pernos.co/debug/E7orJn-Nr_oE07n2vcl60A/index.html

Keywords: pernosco

This issue is triggered within seconds of launching the fuzzer. Marking as fuzzblocker.

Whiteboard: [fuzzblocker]
Blocks: gfx-triage
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-5169
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: