Closed Bug 724587 Opened 12 years ago Closed 12 years ago

svg files report out of bound reads with asan:

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 711653

People

(Reporter: curtisk, Unassigned)

References

Details

(Whiteboard: [sg:dupe 711653][asan])

Attachments

(1 file)

submitted information
17.35 KB, application/zip
Details 
hi,

svg files of the general form below, report out of bound reads with asan:

<svg xmlns:xlink="" viewBox="0 0 1 80">
    <defs>
        <filter id="x" filterUnits="userSpaceOnUse">
            <feSpecularLighting>
                <feSpotLight/>
            </feSpecularLighting>
        </filter>
    </defs>
    <g transform="matrix(0,-25615231,700,1,2,7483648)" filter="url(#x)" />
</svg>

I have attached a zip file containing several repros, asan logs and a
valgrind log of firefox 10.0 on 64bit ubuntu 11.10.

I have reproduced this bug with:
changeset:   86173:ccbb41b873cd
date:        Sat Feb 04 03:20:25 2012 -0800


br,
miaubiz
Possible dupe of bug 711653?
Actually, this is more likely to be related to bug 719779 (which may or may not itself be a dupe of bug 711653).  Neither this nor bug 719779's testcases trigger the assertions in the patch I just posted on bug 711653, which is why I'm suspecting they may have a different root cause.

Also: both this bug and bug 719779's testcases trigger the following warning in my debug build:
> WARNING: Surface size too large (would overflow)!: file ../../../mozilla/gfx/thebes/gfxASurface.cpp, line 383
Depends on: 719779
OS: All → Linux
Hardware: x86 → x86_64
Whiteboard: possible dupe of bug 719779
OK -- with the first file in the zip...
  3f7dfa853d4e971d33e6968ea67f8a70646996be.html
...I was able to reproduce this in valgrind *on the first load* (but not subsequent loads). The output I got looked like:
{
==2743== Invalid read of size 1
==2743==    at 0x7AAF9CE: Convolve3x3(unsigned char const*, int, signed char const (*) [3]) (nsSVGFilters.cpp:4918)
==2743==    by 0x7AAFBC2: GenerateNormal(float*, unsigned char const*, int, int, int, int, int, float) (nsSVGFilters.cpp:4981)
==2743==    by 0x7AB03AB: nsSVGFELightingElement::Filter(nsSVGFilterInstance*, nsTArray<nsSVGFE::Image const*, nsTArrayDefaultAllocator> const&, nsSVGFE::Image const*, nsIntRect const&) (nsSVGFilters.cpp:5081)
}

I confirmed that longsonr's patch over on bug 711653 saves us from hitting that. (I don't get that valgrind output anymore, and I added a printf to his early return & confirmed that we're hitting it.)

So I think this is a likely dupe of bug 711653 after all.  Still not sure why it doesn't run afoul of my assertions, per prev. comment -- that'd be interesting to investigate (they might not be sensitive enough).
(In reply to Curtis Koenig [:curtisk] from comment #0)
> <svg xmlns:xlink="" viewBox="0 0 1 80">

Side note: after re-skimming comment 0, it makes sense that longsonr's patch would fix this -- it checks for height=1 || width==1 on the input surface, and as shown above, the SVG here does have width=1 on its viewBox.
Cannot reproduce this anymore with the patch for bug 711653 applied, so it's likely a dup of that bug and bug 719779.
Great, thanks! Duping, per comment 4 thru 6.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: possible dupe of bug 719779 → [asan]
Version: unspecified → Trunk
Whiteboard: [asan] → [sg:dupe 711653][asan]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: