Closed
Bug 936795
Opened 11 years ago
Closed 11 years ago
Heap-buffer-overflow in nsJPEGEncoder::InitFromData
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 934939
People
(Reporter: inferno, Assigned: milan)
Details
(Keywords: sec-high)
Attachments
(1 file)
|
199 bytes,
text/html
|
Details |
==19972==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020003ebc14 at pc 0x7f1008987774 bp 0x7fff467fe130 sp 0x7fff467fe128
READ of size 4 at 0x6020003ebc14 thread T0
#0 0x7f1008987773 in ConvertHostARGBRow image/encoders/jpeg/nsJPEGEncoder.cpp:336
#1 0x7f1008987773 in nsJPEGEncoder::InitFromData(unsigned char const*, unsigned int, unsigned int, unsigned int, unsigned int, unsigned int, nsAString_internal const&) image/encoders/jpeg/nsJPEGEncoder.cpp:163
#2 0x7f10095824a5 in mozilla::dom::ImageEncoder::GetInputStream(int, int, unsigned char*, int, imgIEncoder*, char16_t const*, nsIInputStream**) content/canvas/src/ImageEncoder.cpp:242
#3 0x7f10095543dc in mozilla::dom::CanvasRenderingContext2D::GetInputStream(char const*, char16_t const*, nsIInputStream**) content/canvas/src/CanvasRenderingContext2D.cpp:1101
#4 0x7f1009581b24 in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, nsIntSize, nsICanvasRenderingContextInternal*, nsIInputStream**, imgIEncoder*) content/canvas/src/ImageEncoder.cpp:277
#5 0x7f1009580cd0 in mozilla::dom::ImageEncoder::ExtractData(nsAString_internal&, nsAString_internal const&, nsIntSize, nsICanvasRenderingContextInternal*, nsIInputStream**) content/canvas/src/ImageEncoder.cpp:193
#6 0x7f1009705faa in operator class nsIInputStream ** content/html/content/src/HTMLCanvasElement.cpp:390
#7 0x7f1009705faa in mozilla::dom::HTMLCanvasElement::ToDataURLImpl(JSContext*, nsAString_internal const&, JS::Value const&, nsAString_internal&) content/html/content/src/HTMLCanvasElement.cpp:465
#8 0x7f100bcf9fb2 in operator class nsString & objdir-ff-asan/dom/bindings/../../dist/include/mozilla/dom/HTMLCanvasElement.h:92
#9 0x7f100bcf9fb2 in mozilla::dom::HTMLCanvasElementBinding::toDataURL(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/./HTMLCanvasElementBinding.cpp:251
#10 0x7f100bcf8303 in mozilla::dom::HTMLCanvasElementBinding::genericMethod(JSContext*, unsigned int, JS::Value*) objdir-ff-asan/dom/bindings/./HTMLCanvasElementBinding.cpp:605
#11 0x7f100e520952 in CallJSNative js/src/jscntxtinlines.h:220
#12 0x7f100e520952 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:463
#13 0x7f100e515a24 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2502
#14 0x7f100e4fdd63 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:420
#15 0x7f100e520b95 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:482
#16 0x7f100e521949 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:513
#17 0x7f100e228717 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5000
#18 0x7f100bbe9da4 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) objdir-ff-asan/dom/bindings/./EventHandlerBinding.cpp:35
#19 0x7f1009ea7720 in Call<nsISupports *> objdir-ff-asan/dom/src/events/../../../dist/include/mozilla/dom/EventHandlerBinding.h:58
#20 0x7f1009ea7720 in nsJSEventListener::HandleEvent(nsIDOMEvent*) dom/src/events/nsJSEventListener.cpp:245
#21 0x7f100968af58 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:960
#22 0x7f100968be22 in nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:1038
#23 0x7f100967cbe1 in HandleEvent content/events/src/nsEventListenerManager.h:325
#24 0x7f100967cbe1 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, ELMCreationDetector&, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:193
#25 0x7f100967babe in nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:292
#26 0x7f100967fb77 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) content/events/src/nsEventDispatcher.cpp:605
#27 0x7f1008b09101 in nsDocumentViewer::LoadComplete(tag_nsresult) layout/base/nsDocumentViewer.cpp:997
#28 0x7f100cca532c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) docshell/base/nsDocShell.cpp:6797
#29 0x7f100cca24fa in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6594
#30 0x7f100cca2a8c in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6601
#31 0x7f100ccf61ef in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) uriloader/base/nsDocLoader.cpp:1331
#32 0x7f100ccf5533 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) uriloader/base/nsDocLoader.cpp:865
#33 0x7f100ccf3182 in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:755
#34 0x7f100ccf471f in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:639
#35 0x7f100ccf4fe9 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:643
#36 0x7f1008268815 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsLoadGroup.cpp:688
#37 0x7f1009363906 in nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:7988
#38 0x7f10093635c0 in nsDocument::UnblockOnload(bool) content/base/src/nsDocument.cpp:7916
#39 0x7f1009342142 in nsDocument::DispatchContentLoadedEvents() content/base/src/nsDocument.cpp:4702
#40 0x7f10093865cc in nsRunnableMethodImpl<void (nsDocument::*)(), void, true>::Run() objdir-ff-asan/content/base/src/../../../dist/include/nsThreadUtils.h:382
#41 0x7f100c7e5657 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:610
#42 0x7f100c711541 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:251
#43 0x7f100b265f61 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:85
#44 0x7f100c8eaa63 in RunInternal ipc/chromium/src/base/message_loop.cc:220
#45 0x7f100c8eaa63 in RunHandler ipc/chromium/src/base/message_loop.cc:213
#46 0x7f100c8eaa63 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:187
#47 0x7f100b03ce8c in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:161
#48 0x7f100aa3fc9e in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:267
#49 0x7f1007f9ba58 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3976
#50 0x7f1007f9c9ed in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4044
#51 0x7f1007f9d92b in XRE_main toolkit/xre/nsAppRunner.cpp:4246
#52 0x44aa70 in do_main browser/app/nsBrowserApp.cpp:275
#53 0x44aa70 in main browser/app/nsBrowserApp.cpp:635
#54 0x7f101784e76c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
#55 0x44a05c in _start
0x6020003ebc14 is located 0 bytes to the right of 4-byte region [0x6020003ebc10,0x6020003ebc14)
allocated by thread T0 here:
#0 0x433d85 in malloc _asan_rtl_
#1 0x7f10095539cf in operator new[] objdir-ff-asan/content/canvas/src/../../../dist/include/mozilla/mozalloc.h:219
#2 0x7f10095539cf in mozilla::gfx::SurfaceToPackedBGRA(mozilla::gfx::SourceSurface*) objdir-ff-asan/content/canvas/src/../../../dist/include/mozilla/gfx/DataSurfaceHelpers.h:49
#3 0x7f1009553681 in mozilla::dom::CanvasRenderingContext2D::GetImageBuffer(unsigned char**, int*) content/canvas/src/CanvasRenderingContext2D.cpp:1078:19
#4 0x7f100955410d in mozilla::dom::CanvasRenderingContext2D::GetInputStream(char const*, char16_t const*, nsIInputStream**) content/canvas/src/CanvasRenderingContext2D.cpp:1089
#5 0x7f1009581b24 in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, nsIntSize, nsICanvasRenderingContextInternal*, nsIInputStream**, imgIEncoder*) content/canvas/src/ImageEncoder.cpp:277
#6 0x7f1009580cd0 in mozilla::dom::ImageEncoder::ExtractData(nsAString_internal&, nsAString_internal const&, nsIntSize, nsICanvasRenderingContextInternal*, nsIInputStream**) content/canvas/src/ImageEncoder.cpp:193
Shadow bytes around the buggy address:
0x0c0480075730: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x0c0480075740: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c0480075750: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480075760: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480075770: fa fa fd fd fa fa fd fd fa fa 00 fa fa fa fd fa
=>0x0c0480075780: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480075790: fa fa fa fa fa fa fa fa fa fa fd fd fa fa fd fd
0x0c04800757a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800757b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800757c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800757d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==19972==ABORTING
|
||
Comment 1•11 years ago
|
||
Milan: what happens here... i'm guessing from the stack we're reading image data not an object. Will we then write that data somewhere that's too small for it? Incorporate it into the image itself which might then be readable via <canvas>?
Assignee: nobody → milan
Flags: needinfo?(milan)
|
Assignee | |
Comment 2•11 years ago
|
||
While it doesn't crash on Mac, I see images from other pages, visited earlier in the day, showing up in the canvas. I'd say sec-high.
Flags: needinfo?(milan)
|
|
||
Comment 3•11 years ago
|
||
related in any way to bug 934939 (or bug 939559)? Those were PNG but involved canvas like this one.
|
Reporter | |
Comment 4•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > related in any way to bug 934939 (or bug 939559)? Those were PNG but > involved canvas like this one. This one does not reproduce anymore. looks like this might be same as 934939. someone should verify.
|
||
Comment 5•11 years ago
|
||
Stephen, do you think this is the same issue as you fixed in bug 934939? Thanks.
Flags: needinfo?(spohl.mozilla.bugs)
|
||
Comment 6•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #5) > Stephen, do you think this is the same issue as you fixed in bug 934939? > Thanks. Yes, this is the same issue and I was able to confirm locally that the patch in bug 934939 fixed this.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(spohl.mozilla.bugs)
Resolution: --- → DUPLICATE
|
|
||
Comment 7•11 years ago
|
||
Thanks!
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•