Closed Bug 850951 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in imgStatusTracker::OnStopRequest

Categories

(Core :: Graphics: ImageLib, defect)

x86_64
All
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Unassigned)

References

Details

(6 keywords, Whiteboard: [asan] fixed by bug 847630, regressed from bug 704059)

Attachments

(1 file)

1.53 KB, application/x-zip-compressed
Details
Your need to have fuzzPriv extension to force GC. ==16261== ERROR: AddressSanitizer: heap-use-after-free on address 0x600e002de940 at pc 0x7fc4b40623a4 bp 0x7fffb4e706f0 sp 0x7fffb4e706e8 READ of size 8 at 0x600e002de940 thread T0 #0 0x7fc4b40623a3 in imgStatusTracker::OnStopRequest(bool, tag_nsresult) ../../dist/include/nsTArray.h:277 #1 0x7fc4b401c683 in mozilla::image::VectorImage::OnSVGDocumentLoaded() image/src/VectorImage.cpp:928 #2 0x7fc4b401cce5 in mozilla::image::SVGLoadEventListener::HandleEvent(nsIDOMEvent*) image/src/VectorImage.cpp:192 #3 0x7fc4b4b8ec4b in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:923 #4 0x7fc4b4bec2be in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) content/events/src/nsEventListenerManager.h:278 #5 0x7fc4b4beb313 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:325 #6 0x7fc4b4bef348 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) content/events/src/nsEventDispatcher.cpp:631 #7 0x7fc4b4bf0184 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) content/events/src/nsEventDispatcher.cpp:694 #8 0x7fc4b49ba051 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) content/base/src/nsINode.cpp:1112 #9 0x7fc4b48839a4 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) content/base/src/nsContentUtils.cpp:3541 #10 0x7fc4b4883806 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) content/base/src/nsContentUtils.cpp:3511 #11 0x7fc4b4bea971 in nsAsyncDOMEvent::Run() content/events/src/nsAsyncDOMEvent.cpp:40 #12 0x7fc4b72df2b3 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:627 #13 0x7fc4b7226410 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238 #14 0x7fc4b69a7ddc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82 #15 0x7fc4b7365489 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:216 #16 0x7fc4b66d97bc in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163 #17 0x7fc4b61bb78a in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:288 #18 0x7fc4b3a1b8c5 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3880 #19 0x7fc4b3a1c6df in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3947 #20 0x7fc4b3a1d579 in XRE_main toolkit/xre/nsAppRunner.cpp:4150 #21 0x425556 in main browser/app/nsBrowserApp.cpp:228 #22 0x7fc4bc05976c in ?? ?? #23 0x424864 in _start ?? 0x600e002de940 is located 32 bytes inside of 72-byte region [0x600e002de920,0x600e002de968) freed by thread T0 here: #0 0x4186d2 in __interceptor_free #1 0x7fc4b4018648 in mozilla::image::VectorImage::~VectorImage() image/src/VectorImage.cpp:307 #2 0x7fc4b4040778 in imgRequest::~imgRequest() image/src/imgRequest.cpp:89 #3 0x7fc4b40620dd in imgStatusTracker::OnStopRequest(bool, tag_nsresult) image/src/imgStatusTracker.cpp:701 #4 0x7fc4b401c683 in mozilla::image::VectorImage::OnSVGDocumentLoaded() image/src/VectorImage.cpp:928 previously allocated by thread T0 here: #0 0x4187b2 in __interceptor_malloc #1 0x7fc4bd097418 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54 Shadow bytes around the buggy address: 0x0c0240053cd0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd 0x0c0240053ce0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0240053cf0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd 0x0c0240053d00: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0240053d10: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd =>0x0c0240053d20: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fa fa fa 0x0c0240053d30: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c0240053d40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd 0x0c0240053d50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0240053d60: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd 0x0c0240053d70: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==16261== ABORTING
Component: General → ImageLib
Product: Firefox → Core
I can't reproduce. Questions for Abishek: 1) What llvm version are you using? (I'm using r176408) 2) Are you viewing test1.svg via file:// or http:// ? (I tried both, serving HTTP with "python -m SimpleHTTPServer") 3) What fuzzPriv extension are you using? (I tried https://www.squarefree.com/extensions/domFuzzLite3.xpi , as well as "...2.xpi" and "...xpi" )
Flags: needinfo?(inferno)
(I'm using mozilla-central on 64-bit linux, w/ a patch applied to hide the semi-spurious sqlite.c ASAN errors)
Hmm.. I'll take a look. This code already changed due to bug 847630 and we don't fire OnStopRequest from there anymore. So this may be irrelevant already.
(In reply to Daniel Holbert [:dholbert] from comment #1) > I can't reproduce. Not surprised; see comment 3.
(In reply to Daniel Holbert [:dholbert] from comment #1) > I can't reproduce. > > Questions for Abishek: > 1) What llvm version are you using? (I'm using r176408) Same. > > 2) Are you viewing test1.svg via file:// or http:// ? (I tried both, > serving HTTP with "python -m SimpleHTTPServer") > file:// > 3) What fuzzPriv extension are you using? (I tried > https://www.squarefree.com/extensions/domFuzzLite3.xpi , as well as > "...2.xpi" and "...xpi" ) domFuzzLite3.xpi Let me try updating to trunk. My build was a few days old and https://hg.mozilla.org/mozilla-central/rev/e2cdf49fe873 is pretty recent.
Flags: needinfo?(inferno)
(In reply to Daniel Holbert [:dholbert] from comment #2) > (I'm using mozilla-central on 64-bit linux, w/ a patch applied to hide the > semi-spurious sqlite.c ASAN errors) Let me make your life easier. Set environment variable ASAN_OPTIONS=alloc_dealloc_mismatch=0:strict_memcmp=0 to hide all these errors.
Please go ahead and close the bug. It does not reproduce anymore on trunk, looks like fixed from https://hg.mozilla.org/mozilla-central/rev/e2cdf49fe873.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
(In reply to Abhishek Arya from comment #6) > Let me make your life easier. Set environment variable > ASAN_OPTIONS=alloc_dealloc_mismatch=0:strict_memcmp=0 to hide all these > errors. Ah, that's handy! I knew the first one, not the second one. Resolving as FIXED by bug 847630. It'd still be worth investigating how long this has was broken before that bug fixed it, in order to know whether we need to bother with backports. (seth, perhaps you have a guess?)
Depends on: 847630
Resolution: INVALID → FIXED
It was never broken anywhere except on Nightly as far as I'm aware. That code arrived in bug 704059 which is 3 weeks old.
OK, I was able to repro this with a targeted build from just after bug 704059 landed, at this rev: https://hg.mozilla.org/mozilla-central/rev/6b7d9acf0d5b but could not reproduce with a build from just before it landed, at this rev: https://hg.mozilla.org/mozilla-central/rev/b1b969b60454 So: This verifies that Comment 9 is correct -- this only goes back as far back as bug 704059's landing, and it was only ever a problem on Nightly (since that bug's patches haven't made it to any stable branches yet).
I also verified that I could repro this with just before bug 847630 landed: https://hg.mozilla.org/mozilla-central/rev/14f662af1c91 but could not with the subsequent cset (bug 847630's patch): https://hg.mozilla.org/mozilla-central/rev/e2cdf49fe873 So: I've verified that this only affected trunk between bug 704059's landing & bug 847630's landing. Given that this doesn't affect branches & has been fixed on trunk for days, I think we're clear to remove the security-sensitive flag.
Group: core-security
This is really bug 847630, which was fixed before this is reported to us here. Because of that, this issue doesn't qualify for a bug bounty.
Flags: sec-bounty? → sec-bounty-
Whiteboard: [asan] fixed by bug 847630
If this security bug had existed on previous branches then bug 847630 would not have inspired us to backport a fix since it was not identified as a security problem. In that case this bug would have been worth a bug bounty because otherwise the security bug would have eventually impacted a shipping release.
Keywords: regression
Whiteboard: [asan] fixed by bug 847630 → [asan] fixed by bug 847630, regressed from bug 704059
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: