Closed
Bug 826980
Opened 12 years ago
Closed 11 years ago
Crash with large canvas, stroke
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Assigned: u480271)
References
Details
(Keywords: crash, sec-high, testcase)
Crash Data
Attachments
(5 files, 3 obsolete files)
In a debug build:
* Under mozilla::dom::CanvasRenderingContext2D::Stroke:
* mozilla::gfx::DrawTargetCG::Init encounters OOM, but does not crash
* CGBlt_copyBytes (in CoreGraphics) crashes accessing a bogus address
In a nightly build:
* Might hang.
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
|
Reporter | |
Comment 3•12 years ago
|
||
Tested on Mac OS X 10.7.5.
|
||
Comment 4•12 years ago
|
||
If we're really carrying on and then using something we failed to allocate that would be sec-critical bad, but can't tell if that's really the case.
Assignee: nobody → milan
|
||
Comment 5•12 years ago
|
||
The code is certainly suspect; on the Mac, for instance, we follow the failed "surface size check" with
unsigned int width = static_cast<unsigned int>(-1);
and on the windows it may assume you have a 1 pixel image running top down. So, I'm probably not reading the code correctly, as it surely can't be this bad.
|
|
||
Comment 6•12 years ago
|
||
I don't see mCG initialized to nullptr anywhere in the constructor and it looks like there might be paths where it ends up being used uninitialized. There are asserts that mCG isn't null at a couple of places, but that seems to assume mCG starts out as null (in a couple of places it's checking null as an error return value, but not always).
Keywords: sec-high
|
|
||
Updated•12 years ago
|
Assignee: milan → bgirard
|
|
||
Comment 7•12 years ago
|
||
Is this a dup of bug 818241?
|
|
Reporter | |
Comment 8•12 years ago
|
||
I can still reproduce this bug, so no.
|
|
Reporter | |
Comment 9•12 years ago
|
||
But only on Mac OS X 10.7, not 10.8?
|
|
||
Comment 10•12 years ago
|
||
BenWa, have you had a chance to look at this? We're trying to sort critical and high within six weeks of being identified as gfx, and that's tomorrow :-)
Flags: needinfo?(bgirard)
|
||
Comment 11•12 years ago
|
||
Attachment #715572 -
Flags: review?(jmuizelaar)
Flags: needinfo?(bgirard)
|
||
Comment 12•12 years ago
|
||
Comment on attachment 715572 [details] [diff] [review]
patch
Review of attachment 715572 [details] [diff] [review]:
-----------------------------------------------------------------
::: gfx/2d/DrawTargetCG.cpp
@@ +912,5 @@
> if (aData == nullptr && aType != BACKEND_COREGRAPHICS_ACCELERATED) {
> // XXX: Currently, Init implicitly clears, that can often be a waste of time
> mData = calloc(aSize.height * aStride, 1);
> + if (!mData) {
> + mColorSpace = nullptr;
This leaks mColorSpace
@@ +936,5 @@
> // and we will fallback to software below
> mData = nullptr;
> }
>
> if (!mCg || aType == BACKEND_COREGRAPHICS) {
The control flow here has become pretty confusing. Please fix it up.
Attachment #715572 -
Flags: review?(jmuizelaar) → review-
|
||
Comment 13•12 years ago
|
||
Did the patch review cycle break down here or something else?
|
|
||
Comment 14•12 years ago
|
||
Opps. I'll finish this up!
|
|
||
Comment 15•12 years ago
|
||
better control flow.
Attachment #715572 -
Attachment is obsolete: true
Attachment #740397 -
Flags: review?(jmuizelaar)
|
|
||
Comment 16•12 years ago
|
||
Comment on attachment 740397 [details] [diff] [review]
patch
Review of attachment 740397 [details] [diff] [review]:
-----------------------------------------------------------------
::: gfx/2d/DrawTargetCG.cpp
@@ -898,1 @@
> mColorSpace = nullptr;
It would be better to split out Init into different functions for the Backend types instead of trying to munge both of them together. Unfortunately we'll need to duplicate the size check. However, I think that's ok.
@@ +921,5 @@
> + mColorSpace = nullptr;
> + mCg = nullptr;
> + mData = nullptr;
> + return false;
> + }
This should move up close to the return at the top of the function.
Attachment #740397 -
Flags: review?(jmuizelaar) → review-
|
|
||
Comment 17•12 years ago
|
||
Attachment #740397 -
Attachment is obsolete: true
|
|
||
Updated•12 years ago
|
Attachment #741885 -
Flags: review?(jmuizelaar)
|
|
||
Comment 18•12 years ago
|
||
Comment on attachment 741885 [details] [diff] [review]
patch v2
Review of attachment 741885 [details] [diff] [review]:
-----------------------------------------------------------------
::: gfx/2d/DrawTargetCG.cpp
@@ +189,1 @@
> }
You could drop the return nullptr to the bottom of the function avoiding the need to duplicate it.
Attachment #741885 -
Flags: review?(jmuizelaar) → review+
|
|
||
Comment 19•12 years ago
|
||
Attachment #741885 -
Attachment is obsolete: true
Attachment #743195 -
Flags: review+
|
|
||
Comment 20•12 years ago
|
||
|
|
Reporter | |
Comment 21•12 years ago
|
||
That try job failed. BenWa, are you going to try again?
|
||
Updated•12 years ago
|
Flags: needinfo?(bjacob)
|
||
Comment 22•12 years ago
|
||
Did you mean to CC the other Benoit ? ;-)
Flags: needinfo?(bjacob) → needinfo?(bgirard)
|
|
||
Comment 23•12 years ago
|
||
One cannot have too many Benoits but yes.
|
|
||
Comment 24•11 years ago
|
||
Benoit *bump* - ready for another try run?
|
|
||
Comment 25•11 years ago
|
||
Hey, can we get another try run and maybe get this old sec-high security issue fixed?
Flags: needinfo?(milan)
|
|
||
Comment 26•11 years ago
|
||
Is this still a problem? That code has changed since then, and I can't reproduce the crash or the hang.
Flags: needinfo?(milan)
Flags: needinfo?(bgirard)
|
|
Reporter | |
Comment 28•11 years ago
|
||
Yes, the testcase still crashes debug builds for me.
Flags: needinfo?(jruderman)
|
|
||
Comment 29•11 years ago
|
||
(In reply to Jesse Ruderman from comment #28)
> Created attachment 8338716 [details]
> 10.9 stack (lldb)
>
> Yes, the testcase still crashes debug builds for me.
Milan, Jesse, please report to the octagon.
|
|
Reporter | |
Comment 30•11 years ago
|
||
I can still reproduce now that I'm on Mac OS X 10.9, fwiw.
|
||
Comment 31•11 years ago
|
||
Benoit, are you going to be able to finish this soon, or should we find somebody else? The bug is over a year old.
Flags: needinfo?(bgirard)
|
|
||
Comment 32•11 years ago
|
||
This bug is important but I haven't found the time to deal with it. We're pushing an important feature on b2g and I can't find time to look at this.
If we can reassign that would be great.
Flags: needinfo?(bgirard)
|
|
||
Comment 33•11 years ago
|
||
Is there somebody else who could work on this, Milan? Thanks.
Flags: needinfo?(milan)
|
|
||
Comment 34•11 years ago
|
||
Dan, can you reproduce this? I instead just get:
Surface size too large (allocation size would overflow int32_t)!
message and nothing bad happens.
Clean profile?
Assignee: bgirard → dglastonbury
Flags: needinfo?(milan)
|
Assignee | |
Comment 35•11 years ago
|
||
I'll take a look at trying to repro.
|
|
Assignee | |
Comment 36•11 years ago
|
||
Tested nightly on OSX 10.6.8 & 10.9.2 as well as a debug build. All builds were fine. Does this bug need to be marked WFM?
Flags: needinfo?(milan)
|
|
||
Comment 38•11 years ago
|
||
Still WFM, but I will try asan build, see what happens.
Flags: needinfo?(milan)
|
|
||
Updated•11 years ago
|
Group: gfx-core-security
|
|
Reporter | |
Comment 39•11 years ago
|
||
I can't reproduce this any more. (Still on 10.9.)
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME
|
|
||
Updated•10 years ago
|
Group: gfx-core-security
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•