Closed
Bug 1329396
Opened 8 years ago
Closed 8 years ago
Heap-buffer-overflow read in expandToRuns
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
DUPLICATE
of bug 1330166
People
(Reporter: attekett, Unassigned)
Details
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Tested on:
OS: Ubuntu 16.04
Firefox: ASAN build of moz_source_stamp: 2bd53e4e662bcdd32c53cb4e09ceff088e8f6369
Minimized repro-file as an attachment.
ASAN-trace:
=================================================================
==9130==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600093b63a at pc 0x7f49b1cbe066 bp 0x7ffc65b596c0 sp 0x7ffc65b596b8
READ of size 1 at 0x60600093b63a thread T0
#0 0x7f49b1cbe065 in expandToRuns /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkAAClip.cpp:1891:13
#1 0x7f49b1cbe065 in SkAAClipBlitter::blitH(int, int, int) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkAAClip.cpp:1933
#2 0x7f49b22aec4a in walk_edges /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_Path.cpp:163:21
#3 0x7f49b22aec4a in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_Path.cpp:514
#4 0x7f49b22ada88 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_Path.cpp:670:9
#5 0x7f49b22afd50 in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkScan_AntiPath.cpp:747:9
#6 0x7f49b1ffc816 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1097:5
#7 0x7f49b1ffd35b in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkDraw.cpp:1190:5
#8 0x7f49b1cd757a in drawPath /home/worker/workspace/build/src/gfx/skia/skia/include/core/SkDraw.h:54:9
#9 0x7f49b1cd757a in SkBitmapDevice::drawPath(SkDraw const&, SkPath const&, SkPaint const&, SkMatrix const*, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:227
#10 0x7f49b1d08faf in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:2310:9
#11 0x7f49aa2cd1cc in mozilla::gfx::DrawTargetSkia::Stroke(mozilla::gfx::Path const*, mozilla::gfx::Pattern const&, mozilla::gfx::StrokeOptions const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:785:3
#12 0x7f49af90096d in nsCSSRendering::PaintDecorationLine(nsIFrame*, mozilla::gfx::DrawTarget&, nsCSSRendering::PaintDecorationLineParams const&) /home/worker/workspace/build/src/layout/painting/nsCSSRendering.cpp:5025:7
#13 0x7f49af43c321 in nsTextFrame::PaintDecorationLine(nsTextFrame::PaintDecorationLineParams const&) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5821:5
#14 0x7f49af43d2c8 in nsTextFrame::DrawSelectionDecorations(gfxContext*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::SelectionType, nsTextPaintStyle&, mozilla::TextRangeStyle const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, double, double, double, gfxFont::Metrics const&, nsTextFrame::DrawPathCallbacks*, bool, double, unsigned char) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5962:3
#15 0x7f49af446f83 in nsTextFrame::PaintTextSelectionDecorations(nsTextFrame::PaintTextSelectionParams const&, SelectionDetails*, mozilla::SelectionType) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6503:7
.
.
.
0x60600093b63a is located 0 bytes to the right of 58-byte region [0x60600093b600,0x60600093b63a)
allocated by thread T0 here:
#0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e113d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f49b1cb9600 in Alloc /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkAAClip.cpp:77:35
#3 0x7f49b1cb9600 in SkAAClip::Builder::finish(SkAAClip*) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkAAClip.cpp:1092
#4 0x7f49b1cbb9f2 in SkAAClip::op(SkAAClip const&, SkAAClip const&, SkRegion::Op) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkAAClip.cpp:1723:12
#5 0x7f49b1cbd19c in SkAAClip::op(SkRect const&, SkRegion::Op, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkAAClip.cpp:1796:12
#6 0x7f49b225d19e in SkRasterClip::op(SkRect const&, SkMatrix const&, SkIRect const&, SkRegion::Op, bool) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkRasterClip.cpp:371:15
#7 0x7f49b1cf932b in SkCanvas::onClipRect(SkRect const&, SkClipOp, SkCanvas::ClipEdgeStyle) /home/worker/workspace/build/src/gfx/skia/skia/src/core/SkCanvas.cpp:1551:5
#8 0x7f49aa2db889 in mozilla::gfx::DrawTargetSkia::PushClipRect(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /home/worker/workspace/build/src/gfx/2d/DrawTargetSkia.cpp:1957:3
#9 0x7f49af8ff5d0 in PushClipRect /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/Helpers.h:71:5
#10 0x7f49af8ff5d0 in nsCSSRendering::PaintDecorationLine(nsIFrame*, mozilla::gfx::DrawTarget&, nsCSSRendering::PaintDecorationLineParams const&) /home/worker/workspace/build/src/layout/painting/nsCSSRendering.cpp:4856
#11 0x7f49af43c321 in nsTextFrame::PaintDecorationLine(nsTextFrame::PaintDecorationLineParams const&) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5821:5
#12 0x7f49af43d2c8 in nsTextFrame::DrawSelectionDecorations(gfxContext*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::SelectionType, nsTextPaintStyle&, mozilla::TextRangeStyle const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, double, double, double, gfxFont::Metrics const&, nsTextFrame::DrawPathCallbacks*, bool, double, unsigned char) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5962:3
#13 0x7f49af446f83 in nsTextFrame::PaintTextSelectionDecorations(nsTextFrame::PaintTextSelectionParams const&, SelectionDetails*, mozilla::SelectionType) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6503:7
#14 0x7f49af447d36 in nsTextFrame::PaintTextWithSelection(nsTextFrame::PaintTextSelectionParams const&, nsCharClipDisplayItem::ClipEdges const&) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6542:7
#15 0x7f49af433192 in nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, nsCharClipDisplayItem const&, float) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:6923:9
#16 0x7f49af4306d9 in nsDisplayText::RenderToContext(gfxContext*, nsDisplayListBuilder*, bool) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5119:3
#17 0x7f49af4310f8 in nsDisplayText::Paint(nsDisplayListBuilder*, nsRenderingContext*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5032:3
.
.
.
|
||
Updated•8 years ago
|
Group: core-security → gfx-core-security
Component: Graphics: Text → Graphics
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Comment 2•8 years ago
|
||
(This isn't a duplicate for bounty purposes, just for internal patching process.)
|
|
||
Updated•5 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•