Closed Bug 1850065 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-buffer-overflow [@ __asan_memcpy] with READ of size 8

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1846685
Tracking Flags:
Tracking Status
firefox118 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, pernosco, testcase, Whiteboard: [fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
11.24 KB, text/plain
Details
Testcase
27.38 KB, application/octet-stream
Details
crash.cpp
168.02 KB, text/plain
Details

The attached testcase crashes on mozilla-central revision 20230824-014c9a0ccc44 (build with --enable-fuzzing & moz2d target patch).

For detailed crash information, see attachment.

To reproduce the issue:

  1. Build an ASan --enable-fuzzing build including gtests with https://phabricator.services.mozilla.com/D186833 applied.
  2. Run FUZZER=Moz2D objdir/dist/bin/firefox test.bin
Attached file Testcase
Attached file crash.cpp

Decoded test.bin call.

Component: Graphics: WebRender → Graphics

A Pernosco session is available here: https://pernos.co/debug/nrXSAewrepw0tfgz7uMvog/index.html

Keywords: pernosco

This issue is triggered within seconds of launching the fuzzer. Marking as fuzzblocker.

Whiteboard: [fuzzblocker]
Attachment #9350204 - Attachment mime type: text/x-c++src → text/plain

Is this fixed by the patch in bug 1846685?

Flags: needinfo?(jschwartzentruber)

(In reply to Bob Owen (:bobowen) from comment #6)

Is this fixed by the patch in bug 1846685?

No, I get the same stack with D186161 applied.

Flags: needinfo?(jschwartzentruber)

My mistake, I had not rebuilt gtest to pick up the patch.

It does appear to fix the testcases here and in bug 1850064. In both cases I see the following, but no crash:

[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY

(In reply to Jesse Schwartzentruber (:truber) from comment #8)

My mistake, I had not rebuilt gtest to pick up the patch.

It does appear to fix the testcases here and in bug 1850064. In both cases I see the following, but no crash:

[GFX1-]: Replay failure: PathCreation PLAY
[GFX1-]: Replay failure: PathCreation PLAY

Ah, great I was scratching my head as to what might be going wrong.
I'm not too familiar with this use of the Moz2D recording, but that error seems about right as we just return false as a failure of the CheckedStreamToSink.

Blocks: gfx-triage
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-5169
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: