Closed Bug 971189 Opened 10 years ago Closed 10 years ago

Faulty/ASan: heap use-after-free of a gfxImageSurface by imgRequest::UpdateCacheEntrySize

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bjacob, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(1 file)

Faulty/ASan session
27.44 KB, text/plain
Details
Attached file Faulty/ASan session 
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067

This looks like a ImageLib bug, but I hit it by fuzzing only gfx/layers IPC protocols, so I suspect it has something to do with graphics.

This is a client-side crash, but for some reason, it is causing a hang of the parent process (I am running a desktop linux build with tabs.remote) which is why I care. I don't want us to focus on that aspect for now though, because I have a massive pile of local patches which might be causing this collateral damage.

Let's focus on the ImageLib use-after-free for now.
This reproduces easily with

FAULTY_SEED=154317361 FAULTY_PICKLE=1 FAULTY_PARENT=1 FAULTY_ENABLE_LOGGING=1 FAULTY_PROBABILITY=1000 ./mach reftest --debugger=gdb image/test/reftest/encoders-lossless
A google search turned this up... ASan bug already reported by our own, most excellent, people, and already fixed upstream --- I'm still using clang 3.3.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
The workaround given there works:

ASAN_OPTIONS=check_malloc_usable_size=0
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: