803674 - Multiple issues related to mozilla::image

Status: RESOLVED DUPLICATE of bug 804041

(Core :: Graphics: ImageLib, defect)

Description

[Atte Kettunen]

Attachment: Full asan-reports for all issues reported.

I'm unable to get a repro-files for any of these issues but they are detected by my fuzzers multiple times per day. These issues have been around at least few weeks but I cannot provide more accurate estimate when the issues appeared.

I think that these issues are regressions because I have been fuzzing Firefox for some time without any major modifications into my testing system. All these issues popped up about the same time so they might be from the same changeset. 

Few things about my testing system:

I think these issues have something to do with the way I handle testcase injection to browser. I have a client-side html-file which requests new testcases from server via websocket. The testcase is loaded into iframe.src and new testcase is requested when iframe emits onload-event. 

Testcases are generated from sample html-files downloaded all around internet.

My machines don't have internet connection and I haven't changed any sources for the original image-files linked in the pages so the <img>-tags use sources that the browser can't reach and the testcases are changing in a very fast pace.
I have a script that is included into the source of each testcase after </body>-tag

'function imgSrc(tag){tags=document.getElementsByTagName(tag); max=tags.length; for(i=0 ;i<max; i++){tags[i].src='data:image/gif;base64,R0lGODlhCgAKAIAAAP/MAAAAACH5BAAAAAAALAAAAAAKAAoAAAIIhI+py+0PYysAOw=='}}
imgSrc("img")
imgSrc("IMG")'
 
All the reports are from opt-build but I hope that these have enough information for you to at least have a look if there is some clear problem. I have included the full ASAN-report as an attachment. I have multiple machines that build new ASAN-build from mozilla-central repo asynchronously so I can't provide exact rev from which these reports are from. I hope that there is not much source drift on the files related to these issues.


==6394== ERROR: AddressSanitizer heap-use-after-free on address 0x7f96d527bad8 at pc 0x7f9706a286be bp 0x7fffba1b5a90 sp 0x7fffba1b5a88
READ of size 1 at 0x7f96d527bad8 thread T0
    #0 0x7f9706a286be in imgStatusTracker::GetRequest() const /home/attekett/firefox/src/image/src/imgStatusTracker.h:191
    #1 0x7f97069e325d in mozilla::image::RasterImage::Discard(bool) /home/attekett/firefox/src/image/src/RasterImage.cpp:2290
    #2 0x7f97069d3c48 in mozilla::image::DiscardTracker::DiscardNow() /home/attekett/firefox/src/image/src/DiscardTracker.cpp:272
    #3 0x7f970914ceff in nsTimerImpl::Fire() /home/attekett/firefox/src/xpcom/threads/nsTimerImpl.cpp:472
    #4 0x7f970914d3ce in ~nsRefPtr /home/attekett/firefox/src/../../dist/include/nsAutoPtr.h:873
    #5 0x7f9709098885 in NS_ProcessNextEvent_P(nsIThread*, bool) /home/attekett/firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220
.
.
.

==23194== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f1f65ea65d8 at pc 0x7f1f8d43aff0 bp 0x7fffd1ec5850 sp 0x7fffd1ec5848
READ of size 1 at 0x7f1f65ea65d8 thread T0
    #0 0x7f1f8d43aff0 in nsAutoTObserverArray<imgRequestProxy*, 0u>::ForwardIterator::HasMore() const /home/attekett/firefox/src/../../dist/include/nsTArray.h:203
    #1 0x7f1f8d3f5bcd in mozilla::image::RasterImage::Discard(bool) /home/attekett/firefox/src/image/src/RasterImage.cpp:2289
    #2 0x7f1f8d3e65d8 in mozilla::image::DiscardTracker::DiscardNow() /home/attekett/firefox/src/image/src/DiscardTracker.cpp:272
    #3 0x7f1f8fb5c7df in nsTimerImpl::Fire() /home/attekett/firefox/src/xpcom/threads/nsTimerImpl.cpp:472
    #4 0x7f1f8fb5ccae in ~nsRefPtr /home/attekett/firefox/src/../../dist/include/nsAutoPtr.h:873
    #5 0x7f1f8faa8165 in NS_ProcessNextEvent_P(nsIThread*, bool) /home/attekett/firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220
.
.
.

==21947== ERROR: AddressSanitizer heap-use-after-free on address 0x7f4578116cd8 at pc 0x7f459cef8742 bp 0x7fff950008f0 sp 0x7fff950008e8
READ of size 1 at 0x7f4578116cd8 thread T0
    #0 0x7f459cef8742 in imgStatusTrackerObserver::OnStartDecode() /home/attekett/firefox/src/image/src/imgRequest.h:94
    #1 0x7f459cea3d01 in mozilla::image::Decoder::Init() /home/attekett/firefox/src/image/src/Decoder.cpp:51
    #2 0x7f459ceb593b in mozilla::image::RasterImage::RequestDecodeCore(mozilla::image::RasterImage::RequestDecodeType) /home/attekett/firefox/src/image/src/RasterImage.cpp:2596
    #3 0x7f459d687eae in nsDocument::AddImage(imgIRequest*) /home/attekett/firefox/src/content/base/src/nsDocument.cpp:8431
    #4 0x7f459d3acb82 in nsStyleContext::PresContext() const /home/attekett/firefox/src/layout/style/nsStyleStruct.h:442
    #5 0x7f459d39d84f in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/attekett/firefox/src/layout/style/nsStyleStructList.h:79
.
.
.

==24761== ERROR: AddressSanitizer heap-use-after-free on address 0x7f812e8cffac at pc 0x7f81797d80c7 bp 0x7fff7daf8920 sp 0x7fff7daf8918
READ of size 4 at 0x7f812e8cffac thread T0
    #0 0x7f81797d80c7 in mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>::IsEmpty() const /home/attekett/firefox/src/../../dist/include/mozilla/gfx/BaseRect.h:69
    #1 0x7f81797e3612 in mozilla::image::RasterImage::GetCurrentImgFrameIndex() const /home/attekett/firefox/src/image/src/RasterImage.cpp:686
0x7f812e8cffac is located 44 bytes inside of 112-byte region [0x7f812e8cff80,0x7f812e8cfff0)
freed by thread T0 here:
    #0 0x422b42 in free ??:0
    #1 0x7f81797da064 in nsTArray_base<nsTArrayDefaultAllocator>::Length() const /home/attekett/firefox/src/../../dist/include/nsTArray.h:203
previously allocated by thread T0 here:
    #0 0x422c02 in malloc ??:0
    #1 0x7f81820d5358 in moz_xmalloc /home/attekett/firefox/src/memory/mozalloc/mozalloc.cpp:57
    #2 0x7f81797e318d in mozilla::image::RasterImage::EnsureFrame(unsigned int, int, int, int, int, gfxASurface::gfxImageFormat, unsigned char, unsigned char**, unsigned int*, unsigned int**, unsigned int*) /home/attekett/firefox/src/image/src/RasterImage.cpp:1232
.
.
.

==21693== ERROR: AddressSanitizer heap-use-after-free on address 0x7f85d0b9aef8 at pc 0x7f86125784a8 bp 0x7fff4e1afe10 sp 0x7fff4e1afe08
WRITE of size 8 at 0x7f85d0b9aef8 thread T0
    #0 0x7f86125784a8 in mozilla::image::DiscardTracker::MaybeDiscardSoon() /home/attekett/firefox/src/image/src/DiscardTracker.cpp:289
0x7f85d0b9aef8 is located 120 bytes inside of 320-byte region [0x7f85d0b9ae80,0x7f85d0b9afc0)
freed by thread T0 here:
    #0 0x422b42 in free ??:0
    #1 0x7f8612578f59 in mozilla::image::RasterImage::Release() /home/attekett/firefox/src/image/src/RasterImage.cpp:339
    #2 0x7f86125b606f in operator delete(void*) /home/attekett/firefox/src/../../dist/include/mozilla/mozalloc.h:224
previously allocated by thread T0 here:
    #0 0x422c02 in malloc ??:0
    #1 0x7f861aea5358 in moz_xmalloc /home/attekett/firefox/src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f861206dfbb in nsBaseChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /home/attekett/firefox/src/netwerk/base/src/nsBaseChannel.cpp:793
    #3 0x7f8612088e98 in nsInputStreamPump::OnStateTransfer() /home/attekett/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:482
    #4 0x7f8612088663 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/attekett/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:371
    #5 0x7f8614cc9d73 in nsCOMPtr<nsIInputStreamCallback>::operator=(nsIInputStreamCallback*) /home/attekett/firefox/src/../../dist/include/nsCOMPtr.h:622
.
.
.

Comment 1

[Joe Drew (not getting mail)]

This looks like a bunch of stuff we've been fixing over the past couple of days.

Comment 2

[Atte Kettunen]

Really good news! I thought that I would need to find some way around these because I have no repro-files or any more specific information you could work with.

Comment 3

[David Bolter [:davidb] (NeedInfo me for attention)]

Cool. Joe can you resolve/dupe this?