Closed
Bug 971189
Opened 10 years ago
Closed 10 years ago
Faulty/ASan: heap use-after-free of a gfxImageSurface by imgRequest::UpdateCacheEntrySize
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: bjacob, Unassigned)
References
(Blocks 1 open bug, )
Details
Attachments
(1 file)
27.44 KB,
text/plain
|
Details |
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067 This looks like a ImageLib bug, but I hit it by fuzzing only gfx/layers IPC protocols, so I suspect it has something to do with graphics. This is a client-side crash, but for some reason, it is causing a hang of the parent process (I am running a desktop linux build with tabs.remote) which is why I care. I don't want us to focus on that aspect for now though, because I have a massive pile of local patches which might be causing this collateral damage. Let's focus on the ImageLib use-after-free for now.
Reporter | ||
Comment 1•10 years ago
|
||
This reproduces easily with FAULTY_SEED=154317361 FAULTY_PICKLE=1 FAULTY_PARENT=1 FAULTY_ENABLE_LOGGING=1 FAULTY_PROBABILITY=1000 ./mach reftest --debugger=gdb image/test/reftest/encoders-lossless
Reporter | ||
Comment 2•10 years ago
|
||
A google search turned this up... ASan bug already reported by our own, most excellent, people, and already fixed upstream --- I'm still using clang 3.3.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 3•10 years ago
|
||
https://code.google.com/p/address-sanitizer/issues/detail?id=193
Reporter | ||
Comment 4•10 years ago
|
||
The workaround given there works: ASAN_OPTIONS=check_malloc_usable_size=0
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•