heap-buffer-overflow in mozilla::gfx::FilterProcessing::ApplyMorphologyHorizontal_SSE2

VERIFIED FIXED in Firefox 28

Status

()

defect
--
critical
VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: inferno, Assigned: mstange)

Tracking

(6 keywords)

Trunk
mozilla29
x86_64
Windows 7
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox27 unaffected, firefox28+ verified, firefox29+ verified, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 unaffected, b2g-v1.3 fixed, b2g-v1.3T fixed, b2g-v1.4 fixed)

Details

(Whiteboard: [asan])

Attachments

(3 attachments, 1 obsolete attachment)

3.75 KB, application/x-zip-compressed
Details
510 bytes, image/svg+xml
Details
v2
4.27 KB, patch
bas.schouten
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
Reporter

Description

6 years ago
Posted file Testcase
==14095==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060001b0170 at pc 0x7fb2b6cc6474 bp 0x7fff0d1ede90 sp 0x7fff0d1ede88
READ of size 16 at 0x6060001b0170 thread T0
    #0 0x7fb2b6cc6473 in long long __vector(2) mozilla::gfx::simd::Load8<long long __vector(2)>(unsigned char const*) gfx/2d/SIMD.h:806:10
    #1 0x7fb2b6d0cd55 in _ZN7mozilla3gfx30ApplyMorphologyHorizontal_SIMDILNS0_18MorphologyOperatorE1EDv2_xS3_EEvPhiS4_iRKNS0_12IntRectTypedINS0_12UnknownUnitsEEEi gfx/2d/FilterProcessingSIMD-inl.h:401:25
    #2 0x7fb2b6cb1218 in _ZN7mozilla3gfx30ApplyMorphologyHorizontal_SIMDIDv2_xS2_EEvPhiS3_iRKNS0_12IntRectTypedINS0_12UnknownUnitsEEEiNS0_18MorphologyOperatorE gfx/2d/FilterProcessingSIMD-inl.h:430
    #3 0x7fb2b6cb09d6 in mozilla::gfx::FilterProcessing::ApplyMorphologyHorizontal_SSE2(unsigned char*, int, unsigned char*, int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::MorphologyOperator) gfx/2d/FilterProcessingSSE2.cpp:42
    #4 0x7fb2b6e293e9 in mozilla::gfx::FilterProcessing::ApplyMorphologyHorizontal(unsigned char*, int, unsigned char*, int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, mozilla::gfx::MorphologyOperator) gfx/2d/FilterProcessing.cpp:63
    #5 0x7fb2b6dec718 in mozilla::gfx::ApplyMorphology(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int, mozilla::gfx::MorphologyOperator) gfx/2d/FilterNodeSoftware.cpp:1064
    #6 0x7fb2b6deab4c in mozilla::gfx::FilterNodeMorphologySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1110
    #7 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #8 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #9 0x7fb2b6e25e82 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2757
    #10 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #11 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #12 0x7fb2b6e2763c in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2818
    #13 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #14 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #15 0x7fb2b6dfa4a1 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1544
    #16 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #17 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #18 0x7fb2b6e26b9c in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2789
    #19 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #20 0x7fb2b6d6deb1 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:572
    #21 0x7fb2b6d6d2c8 in mozilla::gfx::DrawTargetCairo::DrawFilter(mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetCairo.cpp:567
    #22 0x7fb2a324c44b in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<nsRefPtr<gfxASurface> >&) gfx/src/FilterSupport.cpp:1118
    #23 0x7fb2af630eb6 in nsSVGFilterInstance::Render(gfxContext*) layout/svg/nsSVGFilterInstance.cpp:475
    #24 0x7fb2af62f798 in nsSVGFilterFrame::PaintFilteredFrame(nsRenderingContext*, nsIFrame*, nsSVGFilterPaintCallback*, nsRect const*, nsIFrame*) layout/svg/nsSVGFilterFrame.cpp:454
    #25 0x7fb2af6a432e in nsSVGIntegrationUtils::PaintFramesWithEffects(nsRenderingContext*, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:519
    #26 0x7fb2aebace26 in nsDisplaySVGEffects::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) layout/base/nsDisplayList.cpp:4617
    #27 0x7fb2ae88fa1c in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) layout/base/FrameLayerBuilder.cpp:2090
    #28 0x7fb2ae88eca0 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:3376
    #29 0x7fb2ae89284c in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3550
    #30 0x7fb2a3a782dd in mozilla::layers::BasicThebesLayer::PaintBuffer(gfxContext*, nsIntRegion const&, nsIntRegion const&, nsIntRegion const&, bool, mozilla::layers::DrawRegionClip, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.h:114
    #31 0x7fb2a3a294bd in mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.cpp:203
    #32 0x7fb2a3a29cf4 in non-virtual thunk to mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:219
    #33 0x7fb2a3a0cf41 in mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
    #34 0x7fb2a3a0d3c4 in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:130
    #35 0x7fb2a3a0cf41 in mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
    #36 0x7fb2a3a0d3c4 in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) objdir-ff-asan-sym/gfx/layers/Unified_cpp_gfx_layers1.cpp:130
    #37 0x7fb2a3a148c8 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:596
    #38 0x7fb2a3a13f71 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:530
    #39 0x7fb2aeb4722e in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1202
    #40 0x7fb2aeb445b0 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:1060
    #41 0x7fb2aebf5c2b in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:2325
    #42 0x7fb2ae7a9bb3 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:5842
    #43 0x7fb2aa850499 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/src/nsViewManager.cpp:420
    #44 0x7fb2aa8555b9 in nsViewManager::ProcessPendingUpdates() view/src/nsViewManager.cpp:1053
    #45 0x7fb2ae827283 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1208
    #46 0x7fb2ae846919 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:168
    #47 0x7fb2ae845fbf in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:160
    #48 0x7fb2ae8454c6 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) layout/base/nsRefreshDriver.cpp:185
    #49 0x7fb29f06f215 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:551
    #50 0x7fb29f0707d6 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:635
    #51 0x7fb29f0557e3 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #52 0x7fb29eac38e2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #53 0x7fb2a116cf98 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:85
    #54 0x7fb2a0e3eed7 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:220
    #55 0x7fb2a0e3eb2a in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:213
    #56 0x7fb2a0e3ea05 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:187
    #57 0x7fb2a88ec5ef in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:161
    #58 0x7fb2b2c691ff in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:267
    #59 0x7fb2b24af6f6 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3974
    #60 0x7fb2b24b3f9a in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4042
    #61 0x7fb2b24b68f4 in XRE_main toolkit/xre/nsAppRunner.cpp:4244
    #62 0x44dc07 in do_main(int, char**, nsIFile*) browser/app/nsBrowserApp.cpp:280
    #63 0x44abe5 in main browser/app/nsBrowserApp.cpp:647
    #64 0x7fb2c6c0b76c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #65 0x44a33c in _start
0x6060001b017f is located 0 bytes to the right of 63-byte region [0x6060001b0140,0x6060001b017f)
allocated by thread T0 here:
    #0 0x434065 in malloc _asan_rtl_
    #1 0x7fb2c20e421a in moz_malloc memory/mozalloc/mozalloc.cpp:62
    #2 0x7fb2b70b154e in operator new[](unsigned long, std::nothrow_t const&) objdir-ff-asan-sym/gfx/2d/../../dist/include/mozilla/mozalloc.h:219
    #3 0x7fb2b70b154e in mozilla::gfx::AlignedArray<unsigned char, 16>::Realloc(unsigned long) gfx/2d/Tools.h:113
    #4 0x7fb2b70b154e in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) gfx/2d/SourceSurfaceRawData.cpp:33
    #5 0x7fb2b6dd29fd in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) gfx/2d/Factory.cpp:647
    #6 0x7fb2b6dd8a0e in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) gfx/2d/FilterNodeSoftware.cpp:436
    #7 0x7fb2b6ddd91f in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:717
    #8 0x7fb2b6dea632 in mozilla::gfx::FilterNodeMorphologySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1098
    #9 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #10 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #11 0x7fb2b6e25e82 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2757
    #12 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #13 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #14 0x7fb2b6e2763c in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2818
    #15 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #16 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #17 0x7fb2b6dfa4a1 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1544
    #18 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #19 0x7fb2b6ddd07c in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #20 0x7fb2b6e26b9c in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2789
    #21 0x7fb2b6dd9ebc in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #22 0x7fb2b6d6deb1 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:572
    #23 0x7fb2b6d6d2c8 in mozilla::gfx::DrawTargetCairo::DrawFilter(mozilla::gfx::FilterNode*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/DrawTargetCairo.cpp:567
    #24 0x7fb2a324c44b in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<nsRefPtr<gfxASurface> >&) gfx/src/FilterSupport.cpp:1118
    #25 0x7fb2af630eb6 in nsSVGFilterInstance::Render(gfxContext*) layout/svg/nsSVGFilterInstance.cpp:475
    #26 0x7fb2af62f798 in nsSVGFilterFrame::PaintFilteredFrame(nsRenderingContext*, nsIFrame*, nsSVGFilterPaintCallback*, nsRect const*, nsIFrame*) layout/svg/nsSVGFilterFrame.cpp:454
    #27 0x7fb2af6a432e in nsSVGIntegrationUtils::PaintFramesWithEffects(nsRenderingContext*, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:519
    #28 0x7fb2aebace26 in nsDisplaySVGEffects::PaintAsLayer(nsDisplayListBuilder*, nsRenderingContext*, mozilla::layers::LayerManager*) layout/base/nsDisplayList.cpp:4617
    #29 0x7fb2ae88fa1c in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) layout/base/FrameLayerBuilder.cpp:2090
    #30 0x7fb2ae88eca0 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:3376
    #31 0x7fb2ae89284c in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3550
Shadow bytes around the buggy address:
  0x0c0c8002dfd0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c8002dfe0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c8002dff0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c8002e000: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c8002e010: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x0c0c8002e020: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00[00]07
  0x0c0c8002e030: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c8002e040: 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa fa
  0x0c0c8002e050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8002e060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8002e070: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==14095==ABORTING

Comment 1

6 years ago
WFM in a Linux64 ASAN build so it might be platform specific.
The buffer in question was allocated in gfx code so I think this might be
a gfx problem.  Please reassign it back to SVG if I'm mistaken.
Severity: normal → critical
Component: SVG → Graphics
Keywords: crash, pp, testcase
Whiteboard: [asan]
This looks like it's related to the filter code that just landed in bug 924102; cc'ing :mstange, :bas.
Reporter

Comment 3

6 years ago
Posted image abc.svg
Another repro.

==20465==ERROR: AddressSanitizer: SEGV on unknown address 0x7f63133d8280 (pc 0x00000043ec19 sp 0x7fff2ecb8a88 bp 0x7fff2ecb9300 T0)
AddressSanitizer can not provide additional info.
    #0 0x43ec18 in __sanitizer::internal_memcpy(void*, void const*, unsigned long) llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_libc.cc:44
    #1 0x417185 in memcpy _asan_rtl_
    #2 0x7f63dbaeb20a in mozilla::gfx::CopyRect(mozilla::gfx::DataSourceSurface*, mozilla::gfx::DataSourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>) objdir-ff-asan/gfx/2d/../../dist/include/mozilla/PodOperations.h:109
    #3 0x7f63dbaec23c in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) gfx/2d/FilterNodeSoftware.cpp:458
    #4 0x7f63dbaefc5a in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:717
    #5 0x7f63dbaf5e49 in mozilla::gfx::FilterNodeMorphologySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1098
    #6 0x7f63dbaee1d3 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #7 0x7f63dbaef669 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #8 0x7f63dbb13b1b in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2757
    #9 0x7f63dbaee1d3 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #10 0x7f63dbaef669 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #11 0x7f63dbb142d5 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2818
    #12 0x7f63dbaee1d3 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #13 0x7f63dbaef669 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #14 0x7f63dbafd5a2 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:1544
    #15 0x7f63dbaee1d3 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #16 0x7f63dbaef669 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) gfx/2d/FilterNodeSoftware.cpp:690
    #17 0x7f63dbb14115 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:2789
    #18 0x7f63dbaee1d3 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) gfx/2d/FilterNodeSoftware.cpp:613
    #19 0x7f63dbabb452 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) gfx/2d/FilterNodeSoftware.cpp:572
    #20 0x7f63d71bb211 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<nsRefPtr<gfxASurface> >&) gfx/src/FilterSupport.cpp:1118
    #21 0x7f63da47aab1 in nsSVGFilterInstance::Render(gfxContext*) layout/svg/nsSVGFilterInstance.cpp:475
    #22 0x7f63da47a1bb in nsSVGFilterFrame::PaintFilteredFrame(nsRenderingContext*, nsIFrame*, nsSVGFilterPaintCallback*, nsRect const*, nsIFrame*) layout/svg/nsSVGFilterFrame.cpp:454
    #23 0x7f63da4a1920 in nsSVGIntegrationUtils::PaintFramesWithEffects(nsRenderingContext*, nsIFrame*, nsRect const&, nsDisplayListBuilder*, mozilla::layers::LayerManager*) layout/svg/nsSVGIntegrationUtils.cpp:519
    #24 0x7f63d9fd948e in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, nsIntRect const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, nsIntPoint const&, float, float, int) layout/base/FrameLayerBuilder.cpp:2090
    #25 0x7f63d9fdb58a in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3550
    #26 0x7f63d73bfc81 in mozilla::layers::BasicThebesLayer::PaintBuffer(gfxContext*, nsIntRegion const&, nsIntRegion const&, nsIntRegion const&, bool, mozilla::layers::DrawRegionClip, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.h:114
    #27 0x7f63d73a5e7f in mozilla::layers::BasicThebesLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicThebesLayer.cpp:203
    #28 0x7f63d739913d in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
    #29 0x7f63d739913d in non-virtual thunk to mozilla::layers::BasicContainerLayer::Validate(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*) gfx/layers/basic/BasicContainerLayer.cpp:124
    #30 0x7f63d739c115 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:596
    #31 0x7f63da0bda55 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1202
    #32 0x7f63da0bc683 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:1060
    #33 0x7f63da10ada9 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:2325
    #34 0x7f63d9f8a7bd in PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:5842
    #35 0x7f63d8e3bc3c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/src/nsViewManager.cpp:420
    #36 0x7f63d9fae79e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1208
    #37 0x7f63d9fb2610 in mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp:168
    #38 0x7f63d60d4b1d in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:551
    #39 0x7f63d60d5286 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:635
    #40 0x7f63d60cd91b in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #41 0x7f63d5faeb61 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #42 0x7f63d68bdb71 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:85
    #43 0x7f63d68303c3 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:220
    #44 0x7f63d860863c in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:161
    #45 0x7f63db211f0e in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:267
    #46 0x7f63db03a618 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3974
    #47 0x7f63db03b5ad in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4042
    #48 0x7f63db03c4eb in XRE_main toolkit/xre/nsAppRunner.cpp:4244
    #49 0x44aa70 in main browser/app/nsBrowserApp.cpp:280
    #50 0x7f63e5d1976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #51 0x44a05c in _start
==20465==ABORTING
Matt: can you see if reproducability of various builds supports the guess in comment 2? That bug landed around 11-28.
Flags: sec-bounty?
Flags: needinfo?(mwobensmith)
Assignee

Comment 5

6 years ago
This is absolutely from bug 924102.
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Flags: needinfo?(mwobensmith)
Assignee

Comment 6

6 years ago
Posted patch Check surface size (obsolete) — Splinter Review
We call Factory::CreateDataSourceSurface with a size that's roughly 200000 x 200000 pixels. At four bytes per pixel, that surface would be about 160GB big. However, this calculation in SourceSurfaceAlignedRawData::Init overflows:
mArray.Realloc(mStride * aSize.height);
mStride and aSize.height are int32_t, and the multiplication happens before the conversion to size_t. So the value that Realloc sees is only about 1GB and the allocation succeeds. However, since the surface now carries a data storage that's not big enough for its advertised size, we attempt to read from out-of-bounds memory.

This patch adds Factory::CheckSurfaceSize that mirrors the existing gfxASurface::CheckSurfaceSize. However, it's not clear to me where the best place to call it would be. I've added some callers in the Factory methods, but we could just as well have all the DrawTarget*::Init and SourceSurface*::Init methods call it.

The CheckedInt<size_t> in SourceSurfaceAlignedRawData::Init is just an additional safety measure. It's your call whether we want it.
Attachment #8350622 - Flags: feedback?(bas)
Comment on attachment 8350622 [details] [diff] [review]
Check surface size

Review of attachment 8350622 [details] [diff] [review]:
-----------------------------------------------------------------

I don't disagree with the general idea, however I do have one comment.

::: gfx/2d/Factory.cpp
@@ +205,5 @@
> +    return false;
> +  }
> +
> +  // assuming 4-byte stride, make sure the allocation size
> +  // doesn't overflow a int32_t either

If we're going to make any assumptions a 32-byte aligned stride here! (to be certain if we switch to AVX in the future, in any case, we're currently doing 16-byte alignments) I realize this check is already in SourceSurfaceRawData but with that logic this check is pointless.
Attachment #8350622 - Flags: feedback?(bas) → feedback+
(In reply to Markus Stange [:mstange] from comment #6)
> We call Factory::CreateDataSourceSurface with a size that's roughly 200000 x
> 200000 pixels. At four bytes per pixel, that surface would be about 160GB

Why are we allowing images that big? Elsewhere (imageFrame, maybe?) we cap images at 32Kx32K pixels for just this kind of overflow reason. There are no monitors anywhere that support that many pixels and there's not a lot of use in scrolling tens of feet.
Assignee

Comment 9

6 years ago
(In reply to Daniel Veditz [:dveditz] from comment #8)
> (In reply to Markus Stange [:mstange] from comment #6)
> > We call Factory::CreateDataSourceSurface with a size that's roughly 200000 x
> > 200000 pixels. At four bytes per pixel, that surface would be about 160GB
> 
> Why are we allowing images that big?

These surface sizes don't come from big images. They come from applying filters with large radii to small input images, which results in big output images. In this testcase, we apply a giant morphology radius, which is capped[1] to 100000, so the source image grows by 100000 pixels in all four directions.

> Elsewhere (imageFrame, maybe?) we cap
> images at 32Kx32K pixels for just this kind of overflow reason.

That's essentially what I'm doing in this patch - I cap the size of the temporary surfaces that are used when calculating the filter.

[1] http://dxr.mozilla.org/mozilla-central/source/gfx/src/FilterSupport.cpp#633 - though you could argue that 100000 is still a bit much
Assignee

Comment 10

6 years ago
Posted patch v2Splinter Review
(In reply to Bas Schouten (:bas.schouten) from comment #7)
> Comment on attachment 8350622 [details] [diff] [review]
> Check surface size
> 
> Review of attachment 8350622 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> I don't disagree with the general idea, however I do have one comment.
> 
> ::: gfx/2d/Factory.cpp
> @@ +205,5 @@
> > +    return false;
> > +  }
> > +
> > +  // assuming 4-byte stride, make sure the allocation size
> > +  // doesn't overflow a int32_t either
> 
> If we're going to make any assumptions a 32-byte aligned stride here! (to be
> certain if we switch to AVX in the future, in any case, we're currently
> doing 16-byte alignments)

Hmm, there are several places where we already use 16 byte alignments. If we want to use AVX in the future, we'll have to update all of them, so I see no reason not to use 16 here, too.
I haven't really found a pretty way to check that aligning the stride doesn't overflow. I now simply check that adding 15 does not overflow... do you have a better idea? I did not want to copy the whole GetAlignedStride calculation.

> I realize this check is already in
> SourceSurfaceRawData but with that logic this check is pointless.

The check in SourceSurfaceRawData was actually more lenient for 64 bit because it checked for size_t overflow, not for int32_t. I've removed it.
Attachment #8350622 - Attachment is obsolete: true
Attachment #8359792 - Flags: review?(bas)
Attachment #8359792 - Flags: review?(bas) → review+
Assignee

Comment 11

6 years ago
Comment on attachment 8359792 [details] [diff] [review]
v2

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily, unless I include the provided testcase as a test. The patch currently does not contain a test.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No. I wouldn't know right away where to look.

Which older supported branches are affected by this flaw?
Only Aurora and m-c.

If not all supported branches, which bug introduced the flaw?
bug 924103

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch should apply on Aurora cleanly.

How likely is this patch to cause regressions; how much testing does it need?
Not likely; it's pretty much just porting code over from the old way of doing things to the new way. Not much testing needed.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 924103
User impact if declined: security issue
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): very low
String or IDL/UUID changes made by this patch: none
Attachment #8359792 - Flags: sec-approval?
Attachment #8359792 - Flags: approval-mozilla-aurora?
Comment on attachment 8359792 [details] [diff] [review]
v2

sec-approval+ for trunk and Aurora approval. It should go into trunk and be green there first.

Once it is in both places, you can check in a test if you want since we won't zero day any users.
Attachment #8359792 - Flags: sec-approval?
Attachment #8359792 - Flags: sec-approval+
Attachment #8359792 - Flags: approval-mozilla-aurora?
Attachment #8359792 - Flags: approval-mozilla-aurora+
Blocks: 958977
No longer blocks: 958977
Duplicate of this bug: 958977
https://hg.mozilla.org/mozilla-central/rev/99eff7ae7035
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
I was not able to reproduce the error on builds before the fix using three different Linux x64 machines. I tried to build on Mac and Windows but I encountered some errors and was unable to do so (If someone can provide some guidance regarding this please e-mail me), therefore I cannot verify that the issue is fixed. 
Abhishek Arya can you please verify that the issue is fixed on Nightly and Aurora?
Flags: needinfo?(inferno)
Reporter

Comment 20

6 years ago
(In reply to Bogdan Maris, QA [:bogdan_maris] from comment #19)
> I was not able to reproduce the error on builds before the fix using three
> different Linux x64 machines. I tried to build on Mac and Windows but I
> encountered some errors and was unable to do so (If someone can provide some
> guidance regarding this please e-mail me), therefore I cannot verify that
> the issue is fixed. 
> Abhishek Arya can you please verify that the issue is fixed on Nightly and
> Aurora?

Looks like you are not testing on AddressSanitizer builds. These won't crash on regular builds - https://developer.mozilla.org/en-US/docs/Building_Firefox_with_Address_Sanitizer.

So, i tested using the two repros in this bug on trunk build.
Testcase #1 (zip archive) : Not fixed. Might be the reason i am seeing this in https://bugzilla.mozilla.org/show_bug.cgi?id=961517#c1. Upto you, if you want to reopen this bug or carry the discussion in bug 961517.
Testcase #2 (abc.svg): fixed.
Flags: needinfo?(inferno)

Comment 21

6 years ago
Both Testcase #1 and repro from duplicate bug 958977 still trigger this in current Aurora for me.
Assignee

Comment 22

6 years ago
OK, looks like this is not completely fixed, so I'm unduping bug 958977 and doing the rest of the work there.
Do we need to unmark the "fixed" status for 27 and 28?
Assignee

Comment 24

6 years ago
The abc.svg testcase is fixed, so no, I don't think we should unmark anything.
Flags: sec-bounty? → sec-bounty+
Assignee

Updated

6 years ago
Blocks: 959502
Reporter

Comment 26

5 years ago
(In reply to Markus Stange [:mstange] from comment #22)
> OK, looks like this is not completely fixed, so I'm unduping bug 958977 and
> doing the rest of the work there.

Can i be cced on 958977 ?
Duplicate of this bug: 959502
Confirmed crash on ASan build of Fx29, 2013-12-19.
Verified fixed on ASan builds of Fx28, Fx29, 2014-03-01.
Status: RESOLVED → VERIFIED

Comment 31

4 years ago
Landed the SVG test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/039d86557933

Although now that I think about it, I should've landed the first test too.
Leaving in-testsuite? for that.
Group: core-security

Comment 32

4 years ago
Landed also the first attached testcase in:
https://hg.mozilla.org/integration/mozilla-inbound/rev/029f26a9f518
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.