Closed
Bug 959502
Opened 12 years ago
Closed 11 years ago
heap-buffer-overflow (write) at mozilla::gfx::ConvertToB8G8R8A8_SIMD
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 944579
mozilla29
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | + | verified |
| firefox29 | + | verified |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | fixed |
| b2g-v1.3T | --- | fixed |
| b2g-v1.4 | --- | fixed |
People
(Reporter: aki.helin, Assigned: mstange)
References
Details
(4 keywords)
Attachments
(1 file)
|
514 bytes,
image/svg+xml
|
Details |
ff-bofw.svg
ASan spots a heap buffer overflow (write) when the attached SVG is opened. The original testcase caused a high unknown SEGV address. This reduced version causes a buffer overflow to be detected, but it may have for example also hit a random object by chance via integer error.
==6131==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7fbdc84637c5 in mozilla::TemporaryRef<mozilla::gfx::DataSourceSurface> mozilla::gfx::ConvertToB8G8R8A8_SIMD<long long __vector(2)>(mozilla::gfx::SourceSurface*) /home/aki/src/mozilla-aurora/gfx/2d/FilterProcessingSIMD-inl.h:68
#1 0x7fbdc845f08a in mozilla::gfx::FilterProcessing::ConvertToB8G8R8A8_SSE2(mozilla::gfx::SourceSurface*) /home/aki/src/mozilla-aurora/gfx/2d/FilterProcessingSSE2.cpp:26
#2 0x7fbdc84d731d in mozilla::gfx::FilterProcessing::ConvertToB8G8R8A8(mozilla::gfx::SourceSurface*) /home/aki/src/mozilla-aurora/gfx/2d/FilterProcessing.cpp:37
#3 0x7fbdc84ae3dd in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:739
#4 0x7fbdc84baf18 in mozilla::gfx::FilterNodeDisplacementMapSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:2360
#5 0x7fbdc84aaaa0 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:605
#6 0x7fbdc84adca5 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:691
#7 0x7fbdc84c0059 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:2846
#8 0x7fbdc84aaaa0 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:605
#9 0x7fbdc84aa3ba in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::DrawOptions const&) /home/aki/src/mozilla-aurora/gfx/2d/FilterNodeSoftware.cpp:573
#10 0x7fbdc43b4267 in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<mozilla::RefPtr<mozilla::gfx::SourceSurface> >&) /home/aki/src/mozilla-aurora/gfx/src/FilterSupport.cpp:1116
#11 0x7fbdc6fae616 in nsSVGFilterInstance::Render(gfxContext*) /home/aki/src/mozilla-aurora/layout/svg/nsSVGFilterInstance.cpp:475
[...]
Filing as a security issue due to bug type.
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → mstange
Status: NEW → ASSIGNED
Flags: needinfo?(mstange)
|
||
Updated•12 years ago
|
Blocks: 924102
Keywords: regression
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → unaffected
|
|
||
Comment 2•12 years ago
|
||
going to assume an out of bounds write is exploitable until proven otherwise
Keywords: csectype-bounds,
sec-critical
|
||
Updated•12 years ago
|
tracking-firefox28:
--- → +
tracking-firefox29:
--- → +
|
|
Assignee | |
Comment 3•12 years ago
|
||
It looks like this was fixed by bug 944579. Aki, can you confirm?
Flags: needinfo?(aki.helin)
Seems to be fixed. Repro has no effect here in a fresh Aurora build.
Flags: needinfo?(aki.helin)
|
|
Assignee | |
Comment 5•12 years ago
|
||
Great!
Calling this verified based on Aki's testing.
|
||
Updated•12 years ago
|
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → fixed
status-b2g-v1.4:
--- → fixed
Target Milestone: --- → mozilla29
|
|
||
Updated•11 years ago
|
Flags: sec-bounty?
|
|
||
Updated•11 years ago
|
status-b2g-v1.3T:
--- → fixed
|
|
||
Updated•11 years ago
|
Status: VERIFIED → RESOLVED
Closed: 12 years ago → 11 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
|
|
||
Updated•10 years ago
|
Group: core-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•