Closed
Bug 850951
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in imgStatusTracker::OnStopRequest
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: inferno, Unassigned)
References
Details
(6 keywords, Whiteboard: [asan] fixed by bug 847630, regressed from bug 704059)
Attachments
(1 file)
1.53 KB,
application/x-zip-compressed
|
Details |
Your need to have fuzzPriv extension to force GC.
==16261== ERROR: AddressSanitizer: heap-use-after-free on address 0x600e002de940 at pc 0x7fc4b40623a4 bp 0x7fffb4e706f0 sp 0x7fffb4e706e8
READ of size 8 at 0x600e002de940 thread T0
#0 0x7fc4b40623a3 in imgStatusTracker::OnStopRequest(bool, tag_nsresult) ../../dist/include/nsTArray.h:277
#1 0x7fc4b401c683 in mozilla::image::VectorImage::OnSVGDocumentLoaded() image/src/VectorImage.cpp:928
#2 0x7fc4b401cce5 in mozilla::image::SVGLoadEventListener::HandleEvent(nsIDOMEvent*) image/src/VectorImage.cpp:192
#3 0x7fc4b4b8ec4b in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:923
#4 0x7fc4b4bec2be in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) content/events/src/nsEventListenerManager.h:278
#5 0x7fc4b4beb313 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:325
#6 0x7fc4b4bef348 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) content/events/src/nsEventDispatcher.cpp:631
#7 0x7fc4b4bf0184 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) content/events/src/nsEventDispatcher.cpp:694
#8 0x7fc4b49ba051 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) content/base/src/nsINode.cpp:1112
#9 0x7fc4b48839a4 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) content/base/src/nsContentUtils.cpp:3541
#10 0x7fc4b4883806 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) content/base/src/nsContentUtils.cpp:3511
#11 0x7fc4b4bea971 in nsAsyncDOMEvent::Run() content/events/src/nsAsyncDOMEvent.cpp:40
#12 0x7fc4b72df2b3 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:627
#13 0x7fc4b7226410 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238
#14 0x7fc4b69a7ddc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
#15 0x7fc4b7365489 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:216
#16 0x7fc4b66d97bc in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163
#17 0x7fc4b61bb78a in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:288
#18 0x7fc4b3a1b8c5 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3880
#19 0x7fc4b3a1c6df in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3947
#20 0x7fc4b3a1d579 in XRE_main toolkit/xre/nsAppRunner.cpp:4150
#21 0x425556 in main browser/app/nsBrowserApp.cpp:228
#22 0x7fc4bc05976c in ?? ??
#23 0x424864 in _start ??
0x600e002de940 is located 32 bytes inside of 72-byte region [0x600e002de920,0x600e002de968)
freed by thread T0 here:
#0 0x4186d2 in __interceptor_free
#1 0x7fc4b4018648 in mozilla::image::VectorImage::~VectorImage() image/src/VectorImage.cpp:307
#2 0x7fc4b4040778 in imgRequest::~imgRequest() image/src/imgRequest.cpp:89
#3 0x7fc4b40620dd in imgStatusTracker::OnStopRequest(bool, tag_nsresult) image/src/imgStatusTracker.cpp:701
#4 0x7fc4b401c683 in mozilla::image::VectorImage::OnSVGDocumentLoaded() image/src/VectorImage.cpp:928
previously allocated by thread T0 here:
#0 0x4187b2 in __interceptor_malloc
#1 0x7fc4bd097418 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
Shadow bytes around the buggy address:
0x0c0240053cd0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
0x0c0240053ce0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0240053cf0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0240053d00: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0240053d10: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c0240053d20: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fa fa fa
0x0c0240053d30: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0240053d40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
0x0c0240053d50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0240053d60: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0240053d70: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==16261== ABORTING
Updated•12 years ago
|
Component: General → ImageLib
Product: Firefox → Core
Updated•12 years ago
|
Keywords: regressionwindow-wanted
Comment 1•12 years ago
|
||
I can't reproduce.
Questions for Abishek:
1) What llvm version are you using? (I'm using r176408)
2) Are you viewing test1.svg via file:// or http:// ? (I tried both, serving HTTP with "python -m SimpleHTTPServer")
3) What fuzzPriv extension are you using? (I tried https://www.squarefree.com/extensions/domFuzzLite3.xpi , as well as "...2.xpi" and "...xpi" )
Flags: needinfo?(inferno)
Comment 2•12 years ago
|
||
(I'm using mozilla-central on 64-bit linux, w/ a patch applied to hide the semi-spurious sqlite.c ASAN errors)
Comment 3•12 years ago
|
||
Hmm.. I'll take a look. This code already changed due to bug 847630 and we don't fire OnStopRequest from there anymore. So this may be irrelevant already.
Comment 4•12 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #1)
> I can't reproduce.
Not surprised; see comment 3.
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #1)
> I can't reproduce.
>
> Questions for Abishek:
> 1) What llvm version are you using? (I'm using r176408)
Same.
>
> 2) Are you viewing test1.svg via file:// or http:// ? (I tried both,
> serving HTTP with "python -m SimpleHTTPServer")
>
file://
> 3) What fuzzPriv extension are you using? (I tried
> https://www.squarefree.com/extensions/domFuzzLite3.xpi , as well as
> "...2.xpi" and "...xpi" )
domFuzzLite3.xpi
Let me try updating to trunk. My build was a few days old and https://hg.mozilla.org/mozilla-central/rev/e2cdf49fe873 is pretty recent.
Flags: needinfo?(inferno)
Reporter | ||
Comment 6•12 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #2)
> (I'm using mozilla-central on 64-bit linux, w/ a patch applied to hide the
> semi-spurious sqlite.c ASAN errors)
Let me make your life easier. Set environment variable ASAN_OPTIONS=alloc_dealloc_mismatch=0:strict_memcmp=0 to hide all these errors.
Reporter | ||
Comment 7•12 years ago
|
||
Please go ahead and close the bug. It does not reproduce anymore on trunk, looks like fixed from https://hg.mozilla.org/mozilla-central/rev/e2cdf49fe873.
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Comment 8•12 years ago
|
||
(In reply to Abhishek Arya from comment #6)
> Let me make your life easier. Set environment variable
> ASAN_OPTIONS=alloc_dealloc_mismatch=0:strict_memcmp=0 to hide all these
> errors.
Ah, that's handy! I knew the first one, not the second one.
Resolving as FIXED by bug 847630.
It'd still be worth investigating how long this has was broken before that bug fixed it, in order to know whether we need to bother with backports. (seth, perhaps you have a guess?)
Depends on: 847630
Resolution: INVALID → FIXED
Updated•12 years ago
|
Flags: sec-bounty?
Comment 9•12 years ago
|
||
It was never broken anywhere except on Nightly as far as I'm aware. That code arrived in bug 704059 which is 3 weeks old.
Comment 10•12 years ago
|
||
OK, I was able to repro this with a targeted build from just after bug 704059 landed, at this rev:
https://hg.mozilla.org/mozilla-central/rev/6b7d9acf0d5b
but could not reproduce with a build from just before it landed, at this rev:
https://hg.mozilla.org/mozilla-central/rev/b1b969b60454
So: This verifies that Comment 9 is correct -- this only goes back as far back as bug 704059's landing, and it was only ever a problem on Nightly (since that bug's patches haven't made it to any stable branches yet).
Comment 11•12 years ago
|
||
I also verified that I could repro this with just before bug 847630 landed:
https://hg.mozilla.org/mozilla-central/rev/14f662af1c91
but could not with the subsequent cset (bug 847630's patch):
https://hg.mozilla.org/mozilla-central/rev/e2cdf49fe873
So: I've verified that this only affected trunk between bug 704059's landing & bug 847630's landing.
Given that this doesn't affect branches & has been fixed on trunk for days, I think we're clear to remove the security-sensitive flag.
Group: core-security
Keywords: regressionwindow-wanted
Comment 13•12 years ago
|
||
This is really bug 847630, which was fixed before this is reported to us here. Because of that, this issue doesn't qualify for a bug bounty.
Flags: sec-bounty? → sec-bounty-
Updated•12 years ago
|
Whiteboard: [asan] fixed by bug 847630
Comment 14•12 years ago
|
||
If this security bug had existed on previous branches then bug 847630 would not have inspired us to backport a fix since it was not identified as a security problem. In that case this bug would have been worth a bug bounty because otherwise the security bug would have eventually impacted a shipping release.
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Keywords: regression
Whiteboard: [asan] fixed by bug 847630 → [asan] fixed by bug 847630, regressed from bug 704059
Target Milestone: --- → mozilla22
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•