Closed Bug 959502 Opened 6 years ago Closed 6 years ago

heap-buffer-overflow (write) at mozilla::gfx::ConvertToB8G8R8A8_SIMD

Categories

(Core :: Graphics, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 944579
mozilla29
Tracking Status
firefox27 --- unaffected
firefox28 + verified
firefox29 + verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: aki.helin, Assigned: mstange)

References

Details

(Keywords: csectype-bounds, regression, sec-critical)

Attachments

(1 file)

Attached image ff-bofw.svg
ASan spots a heap buffer overflow (write) when the attached SVG is opened. The original testcase caused a high unknown SEGV address. This reduced version causes a buffer overflow to be detected, but it may have for example also hit a random object by chance via integer error.

==6131==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x7fbdc84637c5 in mozilla::TemporaryRef<mozilla::gfx::DataSourceSurface> mozilla::gfx::ConvertToB8G8R8A8_SIMD<long long __vector(2)>(mozilla::gfx::SourceSurface*) /home/aki/src/mozilla-aurora/gfx/2d/FilterProcessingSIMD-inl.h:68
    #1 0x7fbdc845f08a in mozilla::gfx::FilterProcessing::ConvertToB8G8R8A8_SSE2(mozilla::gfx::SourceSurface*) /home/aki/src/mozilla-aurora/gfx/2d/FilterProcessingSSE2.cpp:26
    #2 0x7fbdc84d731d in mozilla::gfx::FilterProcessing::ConvertToB8G8R8A8(mozilla::gfx::SourceSurface*) /home/aki/src/mozilla-aurora/gfx/2d/FilterProcessing.cpp:37
    #3 0x7fbdc84ae3dd in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:739
    #4 0x7fbdc84baf18 in mozilla::gfx::FilterNodeDisplacementMapSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:2360
    #5 0x7fbdc84aaaa0 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:605
    #6 0x7fbdc84adca5 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:691
    #7 0x7fbdc84c0059 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:2846
    #8 0x7fbdc84aaaa0 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:605
    #9 0x7fbdc84aa3ba in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:573
    #10 0x7fbdc43b4267 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> >&) /home/aki/src/mozilla-aurora/gfx/src/FilterSupport.cpp:1116
    #11 0x7fbdc6fae616 in nsSVGFilterInstance::Render(gfxContext*) /home/aki/src/mozilla-aurora/layout/svg/nsSVGFilterInstance.cpp:475
[...]

Filing as a security issue due to bug type.
Could you look at this mstange?  Thanks.
Flags: needinfo?(mstange)
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Flags: needinfo?(mstange)
Blocks: 924102
Keywords: regression
going to assume an out of bounds write is exploitable until proven otherwise
It looks like this was fixed by bug 944579. Aki, can you confirm?
Flags: needinfo?(aki.helin)
Seems to be fixed. Repro has no effect here in a fresh Aurora build.
Flags: needinfo?(aki.helin)
Great!
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Depends on: 944579
Resolution: --- → FIXED
Calling this verified based on Aki's testing.
Status: RESOLVED → VERIFIED
Target Milestone: --- → mozilla29
Flags: sec-bounty?
Status: VERIFIED → RESOLVED
Closed: 6 years ago6 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
Duplicate of bug: 944579
Group: core-security
You need to log in before you can comment on or make changes to this bug.