Closed
Bug 724587
Opened 12 years ago
Closed 12 years ago
svg files report out of bound reads with asan:
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 711653
People
(Reporter: curtisk, Unassigned)
References
Details
(Whiteboard: [sg:dupe 711653][asan])
Attachments
(1 file)
17.35 KB,
application/zip
|
Details |
hi, svg files of the general form below, report out of bound reads with asan: <svg xmlns:xlink="" viewBox="0 0 1 80"> <defs> <filter id="x" filterUnits="userSpaceOnUse"> <feSpecularLighting> <feSpotLight/> </feSpecularLighting> </filter> </defs> <g transform="matrix(0,-25615231,700,1,2,7483648)" filter="url(#x)" /> </svg> I have attached a zip file containing several repros, asan logs and a valgrind log of firefox 10.0 on 64bit ubuntu 11.10. I have reproduced this bug with: changeset: 86173:ccbb41b873cd date: Sat Feb 04 03:20:25 2012 -0800 br, miaubiz
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
Possible dupe of bug 711653?
Comment 3•12 years ago
|
||
Actually, this is more likely to be related to bug 719779 (which may or may not itself be a dupe of bug 711653). Neither this nor bug 719779's testcases trigger the assertions in the patch I just posted on bug 711653, which is why I'm suspecting they may have a different root cause. Also: both this bug and bug 719779's testcases trigger the following warning in my debug build: > WARNING: Surface size too large (would overflow)!: file ../../../mozilla/gfx/thebes/gfxASurface.cpp, line 383
Comment 4•12 years ago
|
||
OK -- with the first file in the zip... 3f7dfa853d4e971d33e6968ea67f8a70646996be.html ...I was able to reproduce this in valgrind *on the first load* (but not subsequent loads). The output I got looked like: { ==2743== Invalid read of size 1 ==2743== at 0x7AAF9CE: Convolve3x3(unsigned char const*, int, signed char const (*) [3]) (nsSVGFilters.cpp:4918) ==2743== by 0x7AAFBC2: GenerateNormal(float*, unsigned char const*, int, int, int, int, int, float) (nsSVGFilters.cpp:4981) ==2743== by 0x7AB03AB: nsSVGFELightingElement::Filter(nsSVGFilterInstance*, nsTArray<nsSVGFE::Image const*, nsTArrayDefaultAllocator> const&, nsSVGFE::Image const*, nsIntRect const&) (nsSVGFilters.cpp:5081) } I confirmed that longsonr's patch over on bug 711653 saves us from hitting that. (I don't get that valgrind output anymore, and I added a printf to his early return & confirmed that we're hitting it.) So I think this is a likely dupe of bug 711653 after all. Still not sure why it doesn't run afoul of my assertions, per prev. comment -- that'd be interesting to investigate (they might not be sensitive enough).
Comment 5•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #0) > <svg xmlns:xlink="" viewBox="0 0 1 80"> Side note: after re-skimming comment 0, it makes sense that longsonr's patch would fix this -- it checks for height=1 || width==1 on the input surface, and as shown above, the SVG here does have width=1 on its viewBox.
Comment 6•12 years ago
|
||
Cannot reproduce this anymore with the patch for bug 711653 applied, so it's likely a dup of that bug and bug 719779.
Comment 7•12 years ago
|
||
Great, thanks! Duping, per comment 4 thru 6.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: possible dupe of bug 719779 → [asan]
Version: unspecified → Trunk
Updated•12 years ago
|
Whiteboard: [asan] → [sg:dupe 711653][asan]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•