Closed
Bug 802638
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free/heap-buffer-overflow in nsRegion::nsRectFast::Intersects, with SVG markers
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 795734
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox17 | --- | unaffected |
| firefox18 | --- | fixed |
| firefox19 | + | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: ax330d, Assigned: jwatt)
References
Details
(4 keywords, Whiteboard: [fixed by bug 807213][adv-main18-])
Attachments
(3 files)
ASan detects two types of issues while running attached test-case: use-after-free or heap-buffer-overflow. It may also crash while trying to access address like 0x003c000000b8 (rarely in case). Sorry for not badly reduced test-case - depending on minimized version, ASan may report one of those issues.
Test-case tested on http://hg.mozilla.org/mozilla-central/rev/942ed5747b63. Crashes also on Windows version 19.0a1 (2012-10-17), but for Windows stack looks bit different.
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Updated•12 years ago
|
Component: Untriaged → Graphics
Product: Firefox → Core
|
||
Updated•12 years ago
|
Component: Graphics → SVG
|
|
||
Comment 2•12 years ago
|
||
In my debug build, I hit this NS_ABORT_IF_FALSE before crashing, when the title of the tab reaches "47":
###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file /mozilla/layout/svg/nsSVGUtils.cpp, line 385
|
|
||
Comment 3•12 years ago
|
||
(er s/before crashing/and abort instead of crashing/)
|
|
||
Comment 4•12 years ago
|
||
|
|
||
Comment 5•12 years ago
|
||
The frame failing the check there is a nsSVGOuterSVGFrame, which makes me wonder if this is a dupe of bug 798010. (same frame, failing the same assertion, per bug 798010 comment 5 - 6).
Marking as dependency now, to establish a relationship. When that bug is fixed, we can see if it fixes this bug as well.
Depends on: 798010
Whiteboard: [possible dupe of bug bug 798010?]
|
||
Updated•12 years ago
|
Keywords: sec-critical
|
|
||
Comment 6•12 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #5)
> The frame failing the check there is a nsSVGOuterSVGFrame, which makes me
> wonder if this is a dupe of bug 798010.
More confirmation of this suspicion: up a few levels from the abort, we're in nsSVGMarkerProperty::DoUpdate() -- and bug 798010 involves SVG markers. So: likely a dupe, at least for that first abort.
Summary: Heap-use-after-free/heap-buffer-overflow in nsRegion::nsRectFast::Intersects → Heap-use-after-free/heap-buffer-overflow in nsRegion::nsRectFast::Intersects, with SVG markers
|
||
Updated•12 years ago
|
Assignee: nobody → jwatt
|
||
Updated•12 years ago
|
status-firefox19:
--- → affected
tracking-firefox19:
--- → +
|
Assignee | |
Comment 7•12 years ago
|
||
Almost certainly fixed by bug 807213, but I won't have an updated ASAN build to check until tomorrow.
Whiteboard: [possible dupe of bug bug 798010?] → [possible dupe of bug bug 798010?][fix in bug 807213?]
|
|
Reporter | |
Comment 8•12 years ago
|
||
I guess patch has not landed in mozilla central yet, but just fyi - my test-case diesn't crash with uaf or hbo anymore - it is just a crash on unknown address. Build 2cb6d26fcfe7.
|
|
Assignee | |
Comment 9•12 years ago
|
||
(In reply to Arthur Gerkis from comment #8)
> I guess patch has not landed in mozilla central yet, but just fyi - my
> test-case diesn't crash with uaf or hbo anymore - it is just a crash on
> unknown address. Build 2cb6d26fcfe7.
I tested an ASAN build created after the fix in bug 807213 hand landed and it reported no issues. I've not tested a build prior to that, so maybe the issue had already been fixed though.
At any rate the fix in bug 807213 has now landed for 19, 18 and 17, and I couldn't reproduce any issue on the ASAN m-c build I created, so closing.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox17:
--- → fixed
status-firefox18:
--- → fixed
Flags: in-testsuite?
Keywords: verifyme
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → ?
tracking-firefox-esr10:
--- → ?
Keywords: qawanted
QA Contact: mwobensmith
|
||
Comment 10•12 years ago
|
||
Did this affect Firefox 16 or ESR10? When did it start as an issue?
|
|
Assignee | |
Updated•12 years ago
|
|
||
Comment 11•12 years ago
|
||
Does not affect ESR10. Ran test case against 10.0.10 as well as 10.0.1 (for fun) and no crash.
tracking-firefox-esr10:
? → ---
|
||
Comment 12•12 years ago
|
||
I believe comment 11 addresses the qawanted request. Please re-add if there's something more we can do.
Keywords: qawanted
|
|
||
Updated•12 years ago
|
Whiteboard: [possible dupe of bug bug 798010?][fix in bug 807213?] → [possible dupe of bug bug 798010?][fix in bug 807213?][adv-main17+]
|
|
||
Updated•12 years ago
|
Whiteboard: [possible dupe of bug bug 798010?][fix in bug 807213?][adv-main17+] → [possible dupe of bug bug 798010?][fix in bug 807213?][adv-main18+]
|
|
||
Comment 13•12 years ago
|
||
Was this a dupe of bug 798010 or not?
|
|
||
Comment 14•12 years ago
|
||
(In reply to Jonathan Watt [:jwatt] from comment #9)
> I tested an ASAN build created after the fix in bug 807213 hand landed and
> it reported no issues. I've not tested a build prior to that, so maybe the
> issue had already been fixed though.
I tested a (non-ASAN) debug build, built from revision 734c42e76813 (bug 807213's fix), and it loads the testcase just fine -- no abort, no issues. If I revert that cset (going back in time by 1 commit), then the testcase triggers the abort that I mentioned in comment 2.
So -- bug 807213 is definitely what fixed that abort, and it's almost certainly what fixed the ASAN issue as well. Not sure if "dupe" is exactly right, since bug 807213 was more speculative & didn't have a testcase of its own (see bug 807213 comment 0), but I think it's definitely safe to say that this was fixed by that bug's patch.
|
|
||
Comment 15•12 years ago
|
||
Oh, I misread comment 13. As I was saying, this isn't exactly a dupe of bug 807213, but it is a dupe of bug 798010 and bug 795734. (marker-related security bugs fixed by bug 807213)
Marking as such.
Resolution: FIXED → DUPLICATE
Whiteboard: [possible dupe of bug bug 798010?][fix in bug 807213?][adv-main18+] → [fix in bug 807213?][adv-main18+]
|
|
||
Comment 16•12 years ago
|
||
Not writing an advisory for this because it was fixed by security bug 795734, which pre-dates this bug by a bit and is already getting an advisory.
Whiteboard: [fix in bug 807213?][adv-main18+] → [fix in bug 807213?][adv-main18-]
|
|
||
Updated•12 years ago
|
Whiteboard: [fix in bug 807213?][adv-main18-] → [fixed by bug 807213][adv-main18-]
|
|
Assignee | |
Comment 17•12 years ago
|
||
Thanks, Daniel.
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•