Closed
Bug 776327
Opened 12 years ago
Closed 12 years ago
out-of-bound read in gfxTextRun::GetAdvanceForGlyphs (SVG tspan)
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
VERIFIED
FIXED
mozilla17
People
(Reporter: inferno, Assigned: MatsPalmgren_bugz)
Details
(5 keywords, Whiteboard: [adv-track-main17-])
Attachments
(2 files)
767 bytes,
image/svg+xml
|
Details | |
1.11 KB,
patch
|
jwatt
:
review+
akeybl
:
approval-mozilla-aurora-
akeybl
:
approval-mozilla-beta-
akeybl
:
approval-mozilla-esr10-
|
Details | Diff | Splinter Review |
Reproduces on trunk. 446b788ab99d (opt), built on 20120721 ================================================================= ==22554== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f5152eb6600 at pc 0x7f5181111b01 bp 0x7fffac9df210 sp 0x7fffac9df208 READ of size 4 at 0x7f5152eb6600 thread T0 #0 0x7f5181111b01 in gfxShapedWord::CompressedGlyph::IsSimpleGlyph() const asn1cmn.c:0 #1 0x7f518bfa1514 in gfxTextRun::GetAdvanceForGlyphs(unsigned int, unsigned int) src/gfx/thebes/gfxFont.cpp:4466 #2 0x7f518bfb59dd in gfxTextRun::GetAdvanceWidth(unsigned int, unsigned int, gfxTextRun::PropertyProvider*) src/gfx/thebes/gfxFont.cpp:5056 #3 0x7f518626ab95 in nsSVGGlyphFrame::GetSubStringAdvance(unsigned int, unsigned int, float) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:817 #4 0x7f5186278266 in nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:1373 #5 0x7f51862784f8 in non-virtual thunk to nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0 #6 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222 #7 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124 #8 0x7f5186312f88 in non-virtual thunk to nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0 #9 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222 #10 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124 #11 0x7f5186a50adb in nsSVGTextContentElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTextContentElement.cpp:74 #12 0x7f5186a47d42 in nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTSpanElement.cpp:37 #13 0x7f5186a4e2ab in non-virtual thunk to nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) asn1cmn.c:0 #14 0x7f518ba76bca in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:161 #15 0x7f51870c774b in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:2416 #16 0x7f518712ead4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474 #17 0x7f51925f2587 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:382 #18 0x7f5192569593 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2426 #19 0x7f51924f0725 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:302 #20 0x7f51925f29a9 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:356 #21 0x7f5191f28430 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119 #22 0x7f51925f7b0d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388 #23 0x7f5191dd30d9 in JS_CallFunctionValue src/js/src/jsapi.cpp:5572 #24 0x7f5187076b1e in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1436 #25 0x7f518701ca18 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:580 #26 0x7f518ba7c780 in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121 #27 0x7f518ba79f17 in SharedStub src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0 #28 0x7f5182eb0bb3 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:794 #29 0x7f5182eb207a in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:867 #30 0x7f5183060c97 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:144 #31 0x7f518304f936 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:185 #32 0x7f518304d49c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:313 #33 0x7f5183052fb0 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:634 #34 0x7f5183057544 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:697 #35 0x7f51823fdde3 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1079 #36 0x7f5181f41612 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3428 #37 0x7f5181f40aa6 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3398 #38 0x7f51821496c6 in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4131 #39 0x7f51822098e9 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:349 #40 0x7f518b9778fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625 #41 0x7f518b6066ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217 #42 0x7f518a5a5ce6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #43 0x7f518bc29b9a in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:209 #44 0x7f518bc299e3 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:202 #45 0x7f518bc298c8 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:176 #46 0x7f5189aafc8e in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165 #47 0x7f5188702eb8 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:257 #48 0x7f517ee90d20 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3787 #49 0x7f517ee976c2 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3864 #50 0x7f517ee9ab92 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3940 #51 0x40c28f in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:160 #52 0x409cbd in main src/browser/app/nsBrowserApp.cpp:298 #53 0x7f519ba4fc4d in ?? ??:0 0x7f5152eb6600 is located 0 bytes to the right of 128-byte region [0x7f5152eb6580,0x7f5152eb6600) allocated by thread T0 here: #0 0x4a4452 in __interceptor_malloc ??:0 #1 0x7f51988dba23 in moz_malloc src/memory/mozalloc/mozalloc.cpp:64 #2 0x7f518bf9bd16 in gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) src/gfx/thebes/gfxFont.cpp:4284 #3 0x7f518bf7ee7f in gfxTextRun::Create(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) src/gfx/thebes/gfxFont.cpp:4301 #4 0x7f518bf88206 in gfxFontGroup::MakeTextRun(unsigned short const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) src/gfx/thebes/gfxFont.cpp:3394 #5 0x7f5186270eff in nsSVGGlyphFrame::EnsureTextRun(float*, float*, bool) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:1630 #6 0x7f5186278182 in nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGGlyphFrame.cpp:1370 #7 0x7f51862784f8 in non-virtual thunk to nsSVGGlyphFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0 #8 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222 #9 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124 #10 0x7f5186312f88 in non-virtual thunk to nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) asn1cmn.c:0 #11 0x7f51862feb12 in nsSVGTextContainerFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTextContainerFrame.cpp:222 #12 0x7f5186312e3b in nsSVGTSpanFrame::GetSubStringLength(unsigned int, unsigned int) src/layout/svg/base/src/nsSVGTSpanFrame.cpp:124 #13 0x7f5186a50adb in nsSVGTextContentElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTextContentElement.cpp:74 #14 0x7f5186a47d42 in nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) src/content/svg/content/src/nsSVGTSpanElement.cpp:37 #15 0x7f5186a4e2ab in non-virtual thunk to nsSVGTSpanElement::GetSubStringLength(unsigned int, unsigned int, float*) asn1cmn.c:0 #16 0x7f518ba76bca in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:161 #17 0x7f51870c774b in CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:2416 #18 0x7f518712ead4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474 #19 0x7f51925f2587 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:382 #20 0x7f5192569593 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2426 #21 0x7f51924f0725 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:302 #22 0x7f51925f29a9 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:356 #23 0x7f5191f28430 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119 #24 0x7f51925f7b0d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388 ==22554== ABORTING Stats: 153M malloced (169M for red zones) by 363492 calls Stats: 38M realloced by 19857 calls Stats: 112M freed by 234503 calls Stats: 0M really freed by 0 calls Stats: 348M (89136 full pages) mmaped in 87 calls mmaps by size class: 8:294894; 9:49146; 10:20475; 11:20470; 12:3072; 13:2048; 14:1536; 15:384; 16:640; 17:128; 18:160; 19:40; 20:12; mallocs by size class: 8:275303; 9:44650; 10:17171; 11:19287; 12:2608; 13:1817; 14:1413; 15:302; 16:631; 17:98; 18:160; 19:40; 20:12; frees by size class: 8:163675; 9:36266; 10:13739; 11:16083; 12:1653; 13:906; 14:1216; 15:253; 16:527; 17:88; 18:50; 19:38; 20:9; rfrees by size class: Stats: malloc large: 310 small slow: 1941 Shadow byte and word: 0x1fea2a5d6cc0: fa 0x1fea2a5d6cc0: fa fa fa fa fa fa fa fa More shadow bytes: 0x1fea2a5d6ca0: fa fa fa fa fa fa fa fa 0x1fea2a5d6ca8: fa fa fa fa fa fa fa fa 0x1fea2a5d6cb0: 00 00 00 00 00 00 00 00 0x1fea2a5d6cb8: 00 00 00 00 00 00 00 00 =>0x1fea2a5d6cc0: fa fa fa fa fa fa fa fa 0x1fea2a5d6cc8: fa fa fa fa fa fa fa fa 0x1fea2a5d6cd0: fd fd fd fd fd fd fd fd 0x1fea2a5d6cd8: fd fd fd fd fd fd fd fd 0x1fea2a5d6ce0: fa fa fa fa fa fa fa fa
Assignee | ||
Updated•12 years ago
|
Assignee | ||
Comment 1•12 years ago
|
||
https://tbpl.mozilla.org/?usebuildbot=1&tree=Try&rev=54630c3e3c92
Assignee: nobody → matspal
Assignee | ||
Updated•12 years ago
|
Attachment #645638 -
Flags: review?(jwatt)
Assignee | ||
Comment 2•12 years ago
|
||
It looks non-exploitable to me - I think it's just a DOS crash. It probably affects all versions since the error dates back to 2006-06-28.
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
tracking-firefox16:
--- → ?
Keywords: sec-other
Comment 3•12 years ago
|
||
Comment on attachment 645638 [details] [diff] [review] fix > the error dates back to 2006-06-28 Crazy.
Attachment #645638 -
Flags: review?(jwatt) → review+
Comment 4•12 years ago
|
||
heycam: dunno if this impacts you, or if you need to apply this fix to your work, or not.
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/aed8e7564f57
Flags: in-testsuite?
Target Milestone: --- → mozilla17
Comment 6•12 years ago
|
||
Thanks for the pointer. My GetSubStringLength is different enough now that it's all processed by the one frame, so I think I don't have this bug.
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/aed8e7564f57
Assignee | ||
Comment 8•12 years ago
|
||
Comment on attachment 645638 [details] [diff] [review] fix Low risk crash fix.
Attachment #645638 -
Flags: approval-mozilla-esr10?
Attachment #645638 -
Flags: approval-mozilla-beta?
Attachment #645638 -
Flags: approval-mozilla-aurora?
Comment 9•12 years ago
|
||
Comment on attachment 645638 [details] [diff] [review] fix [Triage Comment] Long standing error, non-exploitable, no need to take on branches.
Attachment #645638 -
Flags: approval-mozilla-esr10?
Attachment #645638 -
Flags: approval-mozilla-esr10-
Attachment #645638 -
Flags: approval-mozilla-beta?
Attachment #645638 -
Flags: approval-mozilla-beta-
Attachment #645638 -
Flags: approval-mozilla-aurora?
Attachment #645638 -
Flags: approval-mozilla-aurora-
Updated•12 years ago
|
Updated•12 years ago
|
Keywords: csec-dos
Summary: Heap-buffer-overflow in gfxTextRun::GetAdvanceForGlyphs (SVG tspan) → out-of-bound read in gfxTextRun::GetAdvanceForGlyphs (SVG tspan)
Updated•12 years ago
|
Whiteboard: [adv-track-main17+]
Updated•12 years ago
|
Alias: CVE-2012-4211
Updated•12 years ago
|
Alias: CVE-2012-4211
Updated•12 years ago
|
Whiteboard: [adv-track-main17+] → [adv-track-main17-]
Comment 12•12 years ago
|
||
Confirmed crash on build 2012-7-22, nightly Verified fixed on build 2012-11-13, 17.0b6 Verified fixed on build 2012-11-19, 17.0esr
Status: RESOLVED → VERIFIED
Updated•11 years ago
|
Group: core-security
Flags: sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•