Closed
Bug 1679936
Opened 4 years ago
Closed 4 years ago
[GFX] heap-use-after-free on address 0x614000213288 at pc 0x7f639a2affc8 bp 0x7ffcea9da0d0 sp 0x7ffcea9da0c8
Categories
(Core :: Graphics, task)
Core
Graphics
Tracking
()
RESOLVED
DUPLICATE
of bug 1679560
People
(Reporter: simonjohnathan, Unassigned)
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
0x7f639a2b0e8d in gfxFontCache::DestroyFont(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:287:3
Free:
delete aFont;
gfxFontCache::HashEntry::KeyEquals(gfxFontCache::Key const*) const /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:219:55
Use:
const gfxCharacterMap* fontUnicodeRangeMap = mFont->GetUnicodeRangeMap();
Log:
ERROR: AddressSanitizer: heap-use-after-free on address 0x614000213288 at pc 0x7f639a2affc8 bp 0x7ffcea9da0d0 sp 0x7ffcea9da0c8
READ of size 8 at 0x614000213288 thread T0
#0 0x7f639a2affc7 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f639a2affc7 in GetUnicodeRangeMap /builds/worker/workspace/obj-build/dist/include/gfxFont.h:1739:29
#2 0x7f639a2affc7 in gfxFontCache::HashEntry::KeyEquals(gfxFontCache::Key const*) const /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:219:55
#3 0x7f63979d698c in SearchTable<PLDHashTable::ForSearchOrRemove, (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:498:7), (lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp
:499:7)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:373:11
#4 0x7f63979d698c in PLDHashTable::Search(void const*) const /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:496:10
#5 0x7f639a2b0e30 in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:210:16
#6 0x7f639a2b0e30 in gfxFontCache::DestroyFont(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:281:29
#7 0x7f639a2b0b8b in gfxFontCache::NotifyExpired(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:275:3
#8 0x7f639a274547 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) /builds/worker/workspace/obj-build/dist
/include/nsExpirationTracker.h:252:7
#9 0x7f639a2f72c6 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:433:7
#10 0x7f6397b293a2 in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:562:7
#11 0x7f6397b28c6d in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:251:11
#12 0x7f6397b14ae9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:245:16
#13 0x7f6397b115d7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:515
:26
#14 0x7f6397b0f477 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:374:1
5
#15 0x7f6397b0f8cd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:171:36
#16 0x7f6397b1c3b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:85:37
#17 0x7f6397b1c3b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#18 0x7f6397b3bffb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#19 0x7f6397b46cfc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#20 0x7f6398ccfefa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#21 0x7f6398bf3cf1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#22 0x7f6398bf3cf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#23 0x7f6398bf3cf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#24 0x7f639f11db77 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#25 0x7f63a291131a in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:270:30
#26 0x7f63a2b37b7f in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5086:22
#27 0x7f63a2b39f3b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5278:8
#28 0x7f63a2b3a843 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5334:21
#29 0x55ffcfa4de5b in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:218:22
#30 0x55ffcfa4de5b in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:336:16
#31 0x7f63b0b4e151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
#32 0x55ffcf9a0cb5 in _start (/mnt/firefox2/firefoxa/firefox/firefox-bin8+0x55cb5)
0x614000213288 is located 72 bytes inside of 408-byte region [0x614000213240,0x6140002133d8)
freed by thread T0 here:
#0 0x55ffcfa1a8bd in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x7f639a2b0e8d in gfxFontCache::DestroyFont(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:287:3
#2 0x7f639a2b0b8b in gfxFontCache::NotifyExpired(gfxFont*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:275:3
#3 0x7f639a274547 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) /builds/worker/workspace/obj-build/dist
/include/nsExpirationTracker.h:252:7
#4 0x7f639a2f72c6 in ExpirationTrackerImpl<gfxFont, 3u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() /builds/worker/workspace/obj-build/dist/include/nsExpirationTracker.h:433:7
#5 0x7f6397b293a2 in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:562:7
#6 0x7f6397b28c6d in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:251:11
#7 0x7f6397b14ae9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:245:16
#8 0x7f6397b115d7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:515:
26
#9 0x7f6397b0f477 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:374:15
#10 0x7f6397b0f8cd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:171:36
#11 0x7f6397b1c3b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:85:37
#12 0x7f6397b1c3b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#13 0x7f6397b3bffb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:14
#14 0x7f6397b46cfc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#15 0x7f6398ccfefa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#16 0x7f6398bf3cf1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#17 0x7f6398bf3cf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#18 0x7f6398bf3cf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#19 0x7f639f11db77 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#20 0x7f63a291131a in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:270:30
#21 0x7f63a2b37b7f in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5086:22
#22 0x7f63a2b39f3b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5278:8
previously allocated by thread T0 here:
#0 0x55ffcfa1ab3d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x55ffcfa5f76d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f639a235a6b in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f639a235a6b in gfxFontconfigFontEntry::CreateFontInstance(gfxFontStyle const*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFcPlatformFontList.cpp:863:22
#4 0x7f639a286e73 in gfxFontEntry::FindOrMakeFont(gfxFontStyle const*, gfxCharacterMap*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:276:24
#5 0x7f639a40c332 in gfxFontGroup::GetFontAt(int, unsigned int, bool*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2053:16
#6 0x7f639a40db42 in gfxFontGroup::GetFirstValidFont(unsigned int, mozilla::StyleGenericFontFamily*) /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:2275:12
#7 0x7f639f530f0e in Gecko_GetFontMetrics /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:1457:33
#8 0x7f63a4f3ef60 in _$LT$style..gecko..wrapper..GeckoFontMetricsProvider$u20$as$u20$style..font_metrics..FontMetricsProvider$GT$::query::ha861e20fc8648b9e /builds/worker/checkouts/gecko/servo/components/style
/gecko/wrapper.rs:984:13
#9 0x7f63a4e8fc0a in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::query_font_metrics::ha157f71ab70a6655 /builds/worker/checkouts/gecko/servo/components/style/values/spe
cified/length.rs:158:13
#10 0x7f63a4e8fc0a in style::values::specified::length::FontRelativeLength::reference_font_size_and_length::hd41f4b6ef6ffd921 /builds/worker/checkouts/gecko/servo/components/style/values/specified/length.rs:18
6:21
#11 0x7f63a4e8fc0a in style::values::specified::length::FontRelativeLength::to_computed_value::h59ca61bf28509c7b /builds/worker/checkouts/gecko/servo/components/style/values/specified/length.rs:137:40
#12 0x7f63a4e8e602 in style::values::computed::length::_$LT$impl$u20$style..values..computed..ToComputedValue$u20$for$u20$style..values..specified..length..NoCalcLength$GT$::to_computed_value::hfcc24f1eeb55e74
5 /builds/worker/checkouts/gecko/servo/components/style/values/computed/length.rs:36:17
#13 0x7f63a4e9647e in _$LT$style..values..specified..border..BorderSideWidth$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::ha4c00ee01f2c516e /builds/worker/checkouts/gecko/servo/c
omponents/style/values/computed/length.rs
#14 0x7f63a4e82f89 in style::properties::longhands::border_bottom_width::cascade_property::h875a70f01cbacab5 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-954e080f888cf447/out
/longhands/border.rs:995:32
#15 0x7f63a4a38704 in style::properties::cascade::Cascade::apply_declaration::hfb8ffc6bbfd976c9 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:556:9
#16 0x7f63a4a38704 in style::properties::cascade::Cascade::apply_properties::ha71073540874bc27 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:673:13
#17 0x7f63a4a37271 in style::properties::cascade::apply_declarations::h3f1289d9b63cf3ef /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:349:9
#18 0x7f63a4a37271 in style::properties::cascade::cascade_rules::h90893687e61166eb /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:210:5
#19 0x7f63a4a3601e in style::properties::cascade::cascade::h43aa159441b3dbce /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:93:5
#20 0x7f63a4a3601e in style::stylist::Stylist::cascade_style_and_visited::h8c21f2f24c008a41 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:905:9
#21 0x7f63a4a3601e in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::had405ee73bfaa6b6 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:342:22
#22 0x7f63a4a45324 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h3c5a69d0babf79cb /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:239:20
#23 0x7f63a4af6050 in style::traversal::resolve_style::h1b2068ccf49433ef /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:348:29
#24 0x7f63a4af6050 in Servo_ResolveStyleLazily /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5507:18
#25 0x7f639f583eaa in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:114
0:10
#26 0x7f639a73b899 in GetComputedStyleNoFlush /builds/worker/checkouts/gecko/layout/style/nsComputedDOMStyle.h:94:12
#27 0x7f639a73b899 in mozilla::dom::KeyframeEffect::GetTargetComputedStyle(mozilla::dom::KeyframeEffect::Flush) const /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:1030:16
#28 0x7f639a727308 in mozilla::dom::KeyframeEffect::SetKeyframes(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/animation/KeyframeEffect.cpp:246:33
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
0x0c288003a600: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c288003a610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c288003a620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c288003a630: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c288003a640: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c288003a650: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c288003a660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c288003a670: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c288003a680: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c288003a690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c288003a6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
ABORTING
Reducing testcase but not sure if needed.
Flags: sec-bounty?
Summary: [GFX] ERROR: AddressSanitizer: heap-use-after-free on address 0x614000213288 at pc 0x7f639a2affc8 bp 0x7ffcea9da0d0 sp 0x7ffcea9da0c8 → [GFX] AddressSanitizer: heap-use-after-free on address 0x614000213288 at pc 0x7f639a2affc8 bp 0x7ffcea9da0d0 sp 0x7ffcea9da0c8
Summary: [GFX] AddressSanitizer: heap-use-after-free on address 0x614000213288 at pc 0x7f639a2affc8 bp 0x7ffcea9da0d0 sp 0x7ffcea9da0c8 → [GFX] heap-use-after-free on address 0x614000213288 at pc 0x7f639a2affc8 bp 0x7ffcea9da0d0 sp 0x7ffcea9da0c8
|
||
Updated•4 years ago
|
Group: firefox-core-security → core-security
Component: Security → Graphics
Product: Firefox → Core
|
||
Updated•4 years ago
|
Group: core-security → gfx-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
|
||
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•2 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•