Closed Bug 1850065 Opened 8 months ago Closed 8 months ago

AddressSanitizer: heap-buffer-overflow [@ __asan_memcpy] with READ of size 8

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1846685
Tracking Flags:
Tracking Status
firefox118 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, pernosco, testcase, Whiteboard: [fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
11.24 KB, text/plain
Details
Testcase
27.38 KB, application/octet-stream
Details
crash.cpp
168.02 KB, text/plain
Details

The attached testcase crashes on mozilla-central revision 20230824-014c9a0ccc44 (build with --enable-fuzzing & moz2d target patch).

For detailed crash information, see attachment.

To reproduce the issue:

  1. Build an ASan --enable-fuzzing build including gtests with https://phabricator.services.mozilla.com/D186833 applied.
  2. Run FUZZER=Moz2D objdir/dist/bin/firefox test.bin
Attached file Testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        crash.cpp
      

    


  
Decoded test.bin call.


Component: Graphics: WebRender → Graphics

    
    

    
  
A Pernosco session is available here: https://pernos.co/debug/nrXSAewrepw0tfgz7uMvog/index.html


Keywords: pernosco

    
    

    
  
This issue is triggered within seconds of launching the fuzzer. Marking as fuzzblocker.


Whiteboard: [fuzzblocker]

        Attachment #9350204 -
        Attachment mime type: text/x-c++src → text/plain

    
    

    
  
Is this fixed by the patch in bug 1846685?


Flags: needinfo?(jschwartzentruber)

    
    

    
  
(In reply to Bob Owen (:bobowen) from comment #6)




Is this fixed by the patch in bug 1846685?




No, I get the same stack with D186161 applied.


Flags: needinfo?(jschwartzentruber)

    
    

    
  
My mistake, I had not rebuilt gtest to pick up the patch.


It does appear to fix the testcases here and in bug 1850064. In both cases I see the following, but no crash:


[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY




    
    

    
  
(In reply to Jesse Schwartzentruber (:truber) from comment #8)




My mistake, I had not rebuilt gtest to pick up the patch.


It does appear to fix the testcases here and in bug 1850064. In both cases I see the following, but no crash:


[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY





Ah, great I was scratching my head as to what might be going wrong.

I'm not too familiar with this use of the Moz2D recording, but that error seems about right as we just return false as a failure of the CheckedStreamToSink.



    
  
Blocks: gfx-triage
Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: CVE-2023-5169
Resolution: --- → DUPLICATE
Group: gfx-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: