774207 - Heap-buffer-overflow in mozilla::gfx::BoxBlurVertical

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Abhishek Arya]

Attachment: Testcase

Reproduces on trunk 5ff43f5c593e [20120715] with display [Xvfb :1 -screen 1 1280x1024x16].

=================================================================
==14734== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fcd843ef774 at pc 0x7fcda968bf54 bp 0x7fff5b528330 sp 0x7fff5b528328
READ of size 1 at 0x7fcd843ef774 thread T0
    #0 0x7fcda968bf54 in mozilla::gfx::BoxBlurVertical(unsigned char*, unsigned char*, int, int, int, int, mozilla::gfx::IntRect const&) firefox/src/gfx/2d/Blur.cpp:151
    #1 0x7fcda9689830 in mozilla::gfx::AlphaBoxBlur::Blur() firefox/src/gfx/2d/Blur.cpp:471
    #2 0x7fcda8f2cb9a in gfxAlphaBoxBlur::Paint(gfxContext*, gfxPoint const&) firefox/src/gfx/thebes/gfxBlur.cpp:75
    #3 0x7fcda71a2da0 in nsContextBoxBlur::DoPaint() firefox/src/layout/base/nsCSSRendering.cpp:4278
    #4 0x7fcda73bf8c6 in nsTextFrame::PaintOneShadow(unsigned int, unsigned int, nsCSSShadowItem*, PropertyProvider*, nsRect const&, gfxPoint const&, gfxPoint const&, gfxContext*, unsigned int const&, nsCharClipDisplayItem::ClipEdges const&, int, gfxRect&) firefox/src/layout/generic/nsTextFrameThebes.cpp:5090
    #5 0x7fcda73bbd24 in nsTextFrame::PaintText(nsRenderingContext*, nsPoint, nsRect const&, nsCharClipDisplayItem const&) firefox/src/layout/generic/nsTextFrameThebes.cpp:5558
    #6 0x7fcda73bb2a0 in nsDisplayText::Paint(nsDisplayListBuilder*, nsRenderingContext*) firefox/src/layout/generic/nsTextFrameThebes.cpp:4403
    #7 0x7fcda7158a6f in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) firefox/src/layout/base/FrameLayerBuilder.cpp:2589
    #8 0x7fcda8fcec17 in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) firefox/src/gfx/layers/basic/BasicThebesLayer.cpp:145
    #9 0x7fcda8fb90b3 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) firefox/src/gfx/layers/basic/BasicLayerManager.cpp:770
    #10 0x7fcda8fb8fb5 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) firefox/src/gfx/layers/basic/BasicLayerManager.cpp:788
    #11 0x7fcda8fb74ec in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) firefox/src/gfx/layers/basic/BasicLayerManager.cpp:436
    #12 0x7fcda71d89c4 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const firefox/src/layout/base/nsDisplayList.cpp:647
    #13 0x7fcda71d8340 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const firefox/src/layout/base/nsDisplayList.cpp:552
    #14 0x7fcda7218037 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) firefox/src/layout/base/nsLayoutUtils.cpp:1820
    #15 0x7fcda72512ed in PresShell::RenderDocument(nsRect const&, unsigned int, unsigned int, gfxContext*) firefox/src/layout/base/nsPresShell.cpp:4363
    #16 0x7fcda77dc54d in nsCanvasRenderingContext2D::DrawWindow(nsIDOMWindow*, float, float, float, float, nsAString_internal const&, unsigned int) firefox/src/content/canvas/src/nsCanvasRenderingContext2D.cpp:3723
    #17 0x7fcda832668d in nsIDOMCanvasRenderingContext2D_DrawWindow(JSContext*, unsigned int, JS::Value*) firefox/src/objdir-ff-asan/js/xpconnect/src/dom_quickstubs.cpp:2735
    #18 0x7fcda9c02b8f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:382
    #19 0x7fcda9b3787d in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/src/js/src/jsinterp.h:119
0x7fcd843ef774 is located 12 bytes to the left of 1-byte region [0x7fcd843ef780,0x7fcd843ef781)
allocated by thread T0 here:
    #0 0x425b02 in __interceptor_malloc ??:0
    #1 0x7fcda9689224 in mozilla::gfx::AlphaBoxBlur::Blur() firefox/src/gfx/2d/Blur.cpp:446
    #2 0x7fcda8f2cb9a in gfxAlphaBoxBlur::Paint(gfxContext*, gfxPoint const&) firefox/src/gfx/thebes/gfxBlur.cpp:75
    #3 0x7fcda71a2da0 in nsContextBoxBlur::DoPaint() firefox/src/layout/base/nsCSSRendering.cpp:4278
    #4 0x7fcda73bf8c6 in nsTextFrame::PaintOneShadow(unsigned int, unsigned int, nsCSSShadowItem*, PropertyProvider*, nsRect const&, gfxPoint const&, gfxPoint const&, gfxContext*, unsigned int const&, nsCharClipDisplayItem::ClipEdges const&, int, gfxRect&) firefox/src/layout/generic/nsTextFrameThebes.cpp:5090
    #5 0x7fcda73bbd24 in nsTextFrame::PaintText(nsRenderingContext*, nsPoint, nsRect const&, nsCharClipDisplayItem const&) firefox/src/layout/generic/nsTextFrameThebes.cpp:5558
    #6 0x7fcda73bb2a0 in nsDisplayText::Paint(nsDisplayListBuilder*, nsRenderingContext*) firefox/src/layout/generic/nsTextFrameThebes.cpp:4403
    #7 0x7fcda7158a6f in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) firefox/src/layout/base/FrameLayerBuilder.cpp:2589
    #8 0x7fcda8fcec17 in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) firefox/src/gfx/layers/basic/BasicThebesLayer.cpp:145
    #9 0x7fcda8fb90b3 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) firefox/src/gfx/layers/basic/BasicLayerManager.cpp:770
    #10 0x7fcda8fb8fb5 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) firefox/src/gfx/layers/basic/BasicLayerManager.cpp:788
    #11 0x7fcda8fb74ec in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) firefox/src/gfx/layers/basic/BasicLayerManager.cpp:436
    #12 0x7fcda71d89c4 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const firefox/src/layout/base/nsDisplayList.cpp:647
    #13 0x7fcda71d8340 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const firefox/src/layout/base/nsDisplayList.cpp:552
    #14 0x7fcda7218037 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) firefox/src/layout/base/nsLayoutUtils.cpp:1820
    #15 0x7fcda72512ed in PresShell::RenderDocument(nsRect const&, unsigned int, unsigned int, gfxContext*) firefox/src/layout/base/nsPresShell.cpp:4363
    #16 0x7fcda77dc54d in nsCanvasRenderingContext2D::DrawWindow(nsIDOMWindow*, float, float, float, float, nsAString_internal const&, unsigned int) firefox/src/content/canvas/src/nsCanvasRenderingContext2D.cpp:3723
    #17 0x7fcda832668d in nsIDOMCanvasRenderingContext2D_DrawWindow(JSContext*, unsigned int, JS::Value*) firefox/src/objdir-ff-asan/js/xpconnect/src/dom_quickstubs.cpp:2735
    #18 0x7fcda9c02b8f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:382
    #19 0x7fcda9b3787d in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) firefox/src/js/src/jsinterp.h:119
==14734== ABORTING
Stats: 126M malloced (127M for red zones) by 222493 calls
Stats: 26M realloced by 11321 calls
Stats: 86M freed by 109605 calls
Stats: 0M really freed by 0 calls
Stats: 288M (73774 full pages) mmaped in 72 calls
  mmaps   by size class: 8:180213; 9:32764; 10:12285; 11:16376; 12:3072; 13:2048; 14:1536; 15:256; 16:704; 17:64; 18:160; 19:40; 20:12;
  mallocs by size class: 8:162458; 9:28750; 10:10959; 11:13840; 12:2343; 13:1728; 14:1288; 15:230; 16:645; 17:56; 18:149; 19:37; 20:10;
  frees   by size class: 8:68049; 9:18761; 10:7653; 11:10859; 12:1451; 13:865; 14:1122; 15:186; 16:540; 17:48; 18:27; 19:36; 20:8;
  rfrees  by size class:
Stats: malloc large: 252 small slow: 1489
Shadow byte and word:
  0x1ff9b087deee: fa
  0x1ff9b087dee8: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1ff9b087dec8: fa fa fa fa fa fa fa fa
  0x1ff9b087ded0: 00 00 00 fb fb fb fb fb
  0x1ff9b087ded8: fb fb fb fb fb fb fb fb
  0x1ff9b087dee0: fa fa fa fa fa fa fa fa
=>0x1ff9b087dee8: fa fa fa fa fa fa fa fa
  0x1ff9b087def0: 01 fb fb fb fb fb fb fb
  0x1ff9b087def8: fb fb fb fb fb fb fb fb
  0x1ff9b087df00: fa fa fa fa fa fa fa fa
  0x1ff9b087df08: fa fa fa fa fa fa fa fa

Comment 1

[David Bolter [:davidb] (NeedInfo me for attention)]

Jeff, how would you sec rate this one?

Comment 2

[Mats Palmgren (inactive)]

I think this is the same as bug 783041 - I can't reproduce in a recent
Linux64 debug ASAN build, but after backing out 783041 locally the bug
occurs.  My analysis: bug 783041 comment 7 and 11 (not exploitable).

Abhishek, can you confirm it doesn't occur in a recent build?

Comment 3

[Abhishek Arya]

can you cc me on 783041. btw, i can't reproduce this anymore, so this looks fixed.

Comment 4

[Mats Palmgren (inactive)]

Ok, thanks for testing.  Resolving as fixed by bug 783041.

Comment 5

[Alex Keybl [:akeybl]]

If this bug is resolved as fixed by bug 783041, is it similarly sec-other? Does that mean this isn't exploitable?

Comment 6

[Mats Palmgren (inactive)]

Yes, yes.  You can dupe it forward if it helps tracking.