Closed
Bug 861552
Opened 12 years ago
Closed 8 years ago
crash in mozilla::image::nsJPEGDecoder::OutputScanlines @ jpeg_fill_bit_buffer
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
People
(Reporter: scoobidiver, Assigned: RyanVM)
References
Details
(5 keywords, Whiteboard: [adv-main50-])
Crash Data
Attachments
(1 file)
|
14.44 KB,
text/plain
|
Details |
It was a low volume crash but started spiking from 22.0a1/20130321090706 after the fix of bug 716140 landed.
It's #184 browser crasher in 22.0a2 and #33 in 23.0a1.
A comment says: "it happened while I was viewing with one of my security cameras"
Signature jpeg_fill_bit_buffer More Reports Search
UUID 8a893386-1283-4727-86d7-08ded2130413
Date Processed 2013-04-13 20:23:56
Uptime 614
Last Crash 10.3 minutes before submission
Install Age 10.8 minutes since version was first installed.
Install Time 2013-04-13 19:54:59
Product Firefox
Version 23.0a1
Build ID 20130413030927
Release Channel nightly
OS Windows NT
OS Version 6.2.9200
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 58 stepping 9
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0xb629d5c
App Notes
AdapterVendorID: 0x1002, AdapterDeviceID: 0x679a, AdapterSubsysID: 3000174b, AdapterDriverVersion: 12.100.17.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
Processor Notes sp-processor07.phx1.mozilla.com_1565:2012; exploitability tool failed: 127
EMCheckCompatibility True
Adapter Vendor ID 0x1002
Adapter Device ID 0x679a
Total Virtual Memory 4294836224
Available Virtual Memory 3671011328
System Memory Use Percentage 49
Available Page File 13769048064
Available Physical Memory 4349882368
Accessibility Active
Frame Module Signature Source
0 gkmedias.dll jpeg_fill_bit_buffer media/libjpeg/jdhuff.c:321
1 gkmedias.dll decode_mcu_slow media/libjpeg/jdhuff.c:592
2 gkmedias.dll decode_mcu media/libjpeg/jdhuff.c:775
3 gkmedias.dll decompress_onepass media/libjpeg/jdcoefct.c:172
4 gkmedias.dll process_data_simple_main media/libjpeg/jdmainct.c:356
5 gkmedias.dll jpeg_read_scanlines media/libjpeg/jdapistd.c:175
6 xul.dll mozilla::image::nsJPEGDecoder::OutputScanlines image/decoders/nsJPEGDecoder.cpp:557
7 xul.dll mozilla::image::nsJPEGDecoder::WriteInternal image/decoders/nsJPEGDecoder.cpp:422
8 xul.dll mozilla::image::Decoder::Write image/src/Decoder.cpp:115
9 xul.dll mozilla::image::RasterImage::WriteToDecoder image/src/RasterImage.cpp:2674
10 xul.dll mozilla::image::RasterImage::DecodeSomeData image/src/RasterImage.cpp:3266
11 xul.dll mozilla::image::RasterImage::SyncDecode image/src/RasterImage.cpp:2901
12 xul.dll mozilla::image::RasterImage::Draw image/src/RasterImage.cpp:3141
13 xul.dll DrawImageInternal layout/base/nsLayoutUtils.cpp:4044
14 xul.dll nsLayoutUtils::DrawSingleImage layout/base/nsLayoutUtils.cpp:4162
15 xul.dll nsImageFrame::PaintImage layout/generic/nsImageFrame.cpp:1347
16 xul.dll nsDisplayImage::Paint layout/generic/nsImageFrame.cpp:1225
17 xul.dll mozilla::FrameLayerBuilder::DrawThebesLayer layout/base/FrameLayerBuilder.cpp:3299
18 xul.dll mozilla::layers::BasicThebesLayer::PaintThebes gfx/layers/basic/BasicThebesLayer.cpp:133
19 xul.dll mozilla::layers::BasicLayerManager::PaintSelfOrChildren gfx/layers/basic/BasicLayerManager.cpp:830
20 xul.dll xul.dll@0x1adfb0
21 xul.dll mozilla::layers::BasicLayerManager::PaintLayer gfx/layers/basic/BasicLayerManager.cpp:956
More reports at:
https://crash-stats.mozilla.com/report/list?signature=jpeg_fill_bit_buffer
|
||
Comment 1•12 years ago
|
||
|
||
Comment 2•12 years ago
|
||
I've got this open in a debug version of Firefox, but for my information: did you have to do anything other than just leave Firefox open?
Flags: needinfo?(mayankleoboy1)
|
|
||
Comment 3•12 years ago
|
||
Nothing in particular. Maybe click-and-drag the image around....
I tried various things after the crash to get a reproducible STR, but could not.
Flags: needinfo?(mayankleoboy1)
|
|
||
Comment 4•12 years ago
|
||
BTW, intermittently, with this live-webcam page open, FF does not shutdown. The firefox.exe process does not end.
|
|
||
Comment 5•12 years ago
|
||
I just checked in bug 857876. That might have an effect on this bug; if you want to test ahead of this getting in to mozilla-central (possibly tomorrow, more likely the next day), use my try build: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jdrew@mozilla.com-d5055a412f69/
|
||
Comment 6•12 years ago
|
||
exploitability tool failed: 127
That's unfortunate.
This is a reproducible heap-buffer-overflow.
Group: core-security
Keywords: reproducible
|
|
||
Comment 7•12 years ago
|
||
|
|
||
Comment 8•12 years ago
|
||
Though this happened for only while clicking the image after some time passed.
|
|
||
Comment 9•12 years ago
|
||
Christoph, can you retry with today's nightly/up-to-date mozilla-central? bug 857876 landed yesterday, which definitely fixed some issues I found with this.
|
||
Comment 10•12 years ago
|
||
Can someone state whether they think this crash is exploitable?
|
Reporter | |
Comment 11•12 years ago
|
||
There are still crashes after the fix of bug 857876.
|
||
Comment 13•12 years ago
|
||
On a recent Nightly, the webpage in comment 1 hangs for me. It looks like there's some recursion involving cross compartment wrapper calls.
|
||
Comment 14•12 years ago
|
||
All the crashes with this stack appear to be read access violations of data that's being decoded into the image. At worst that will incorporate random private memory information into the image which could then be potentially read by the page.
I did see one write violation with this signature but the stack was completely different so it's not the same thing as whatever this webcam-induced crash spike is.
|
|
||
Updated•12 years ago
|
Keywords: csec-disclosure,
sec-moderate
|
|
Reporter | |
Comment 15•12 years ago
|
||
The duplicate has a testcase and is not hidden.
|
||
Comment 16•11 years ago
|
||
Can't reproduce with the testcase from bug 864020.
|
||
Updated•9 years ago
|
Group: core-security → gfx-core-security
|
Assignee | |
Comment 17•8 years ago
|
||
No reports on crash-stats for version 50+, which conveniently matches up to when we updated to libjpeg-turbo 1.5.0 in bug 1278648. Any thoughts, DRC?
status-firefox21:
unaffected → ---
status-firefox22:
affected → ---
status-firefox23:
affected → ---
Flags: needinfo?(dcommander)
|
||
Comment 18•8 years ago
|
||
I'm guessing that either https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a572622dd654305c86585724c2a1ea34e22c2103 or https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0463f7c9aad060fcd56e98d025ce16185279e2bc fixed it-- with a stronger suspicion toward the latter, based on the bug description.
Flags: needinfo?(dcommander)
|
|
Assignee | |
Comment 19•8 years ago
|
||
Good enough for me, thanks.
Assignee: nobody → ryanvm
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
status-firefox-esr45:
--- → wontfix
Depends on: 1278648
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•8 years ago
|
Whiteboard: [adv-main50-]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•