Closed Bug 1705836 Opened 3 years ago Closed 3 years ago

heap-buffer-overflow in [@ blendTextureLinearUpscale]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(4 files)

testcase.html
443 bytes, text/html
Details
prefs.js
9.30 KB, application/x-javascript
Details
Bug 1705836 - Check for negative sample bounds
48 bytes, text/x-phabricator-request
Details | Review
Bug 1705836 - Add test
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

First found while fuzzing m-c 20210416-a00cdb29df1f (--enable-address-sanitizer --enable-fuzzing)

This test case was only consistenly reproducable for me when using Xvfb. I was using Grizzly to automate this:

python3 -m grizzly.replay ~/m-c-20210416155149-fuzzing-asan-opt/firefox ~/Desktop/testcase.html --repeat 10 --relaunch 1 --xvfb -p prefs.js

==3356==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc65f2177fc at pc 0x7fc6bf970f06 bp 0x7fc67cfeaed0 sp 0x7fc67cfeaec8
READ of size 16 at 0x7fc65f2177fc thread T66 (Renderer)
    #0 0x7fc6bf970f05 in load<unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:503:5
    #1 0x7fc6bf970f05 in unaligned_load<unsigned char __attribute__((ext_vector_type(16))), unsigned int> /builds/worker/checkouts/gecko/gfx/wr/swgl/src/vector_type.h:532:10
    #2 0x7fc6bf970f05 in void blendTextureLinearUpscale<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:219:7
    #3 0x7fc6bf95d0ee in unsigned int* blendTextureLinearDispatch<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar, glsl::vec2_scalar, glsl::vec2_scalar, NoColor, unsigned int*, LinearFilter) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:425:9
    #4 0x7fc6bf919fdb in int blendTextureLinearRepeat<true, glsl::sampler2D_impl*, NoColor, unsigned int>(glsl::sampler2D_impl*, glsl::vec2, int, glsl::vec2_scalar const&, glsl::vec4_scalar const&, glsl::vec4_scalar const&, NoColor, unsigned int*) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_ext.h:675:15
    #5 0x7fc6bfa840bc in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::swgl_drawSpanRGBA8() /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:969:2
    #6 0x7fc6bfa7a7e9 in brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag::draw_span_RGBA8(brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D_frag*) /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/swgl-51db388d6c37570b/out/brush_image_ALPHA_PASS_ANTIALIASING_REPETITION_TEXTURE_2D.h:1012:42
    #7 0x7fc6bfd6567f in draw_span /builds/worker/checkouts/gecko/gfx/wr/swgl/src/program.h:149:12
    #8 0x7fc6bfd6567f in void draw_quad_spans<unsigned int>(int, glsl::vec2_scalar*, unsigned int, glsl::vec3*, Texture&, Texture&, ClipRect const&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1008:42
    #9 0x7fc6bf8c6953 in draw_quad(int, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1592:5
    #10 0x7fc6bf8c2313 in void draw_elements<unsigned short>(int, int, unsigned long, VertexArray&, Texture&, Texture&) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/rasterize.h:1622:5
    #11 0x7fc6bf8c1fb9 in DrawElementsInstanced /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:2699:7
    #12 0x7fc6bed27956 in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::h5eda64c2d50e77be /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:3556:9
    #13 0x7fc6bed27956 in webrender::renderer::Renderer::draw_instanced_batch::he82cf5f9df3fb284 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2561:17
    #14 0x7fc6bed1355d in webrender::renderer::Renderer::draw_alpha_batch_container::h759cbbb5db45fa8c /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:3045:17
    #15 0x7fc6bece743d in webrender::renderer::Renderer::draw_picture_cache_target::h134498a9cc4a253a /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2868:9
    #16 0x7fc6bece743d in webrender::renderer::Renderer::draw_frame::h20341baafbe8ca20 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4683:21
    #17 0x7fc6bed4d2bf in webrender::renderer::Renderer::render_impl::h05e0a812274e4fa6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2159:17
    #18 0x7fc6bed6de79 in webrender::renderer::Renderer::render::h510b6ab158a5e145 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1894:30
    #19 0x7fc6befe3eef in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:636:11
    #20 0x7fc6b0513c7e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #21 0x7fc6b05123af in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #22 0x7fc6b0511531 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #23 0x7fc6b05298c6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #24 0x7fc6b05298c6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #25 0x7fc6b05298c6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #26 0x7fc6ae7c7dd7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #27 0x7fc6ae7c8b3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #28 0x7fc6ae7c93db in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #29 0x7fc6ae7ca6d6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #30 0x7fc6ae7c7981 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #31 0x7fc6ae7c7981 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #32 0x7fc6ae7c7981 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #33 0x7fc6ae7e5008 in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:191:16
    #34 0x7fc6ae7d8bfc in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #35 0x7fc6d5bd86da in start_thread /build/glibc-S9d2JN/glibc-2.27/nptl/pthread_create.c:463
    #36 0x7fc6d4bb671e in clone /build/glibc-S9d2JN/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7fc65f2177fc is located 4 bytes to the left of 16777216-byte region [0x7fc65f217800,0x7fc660217800)
allocated by thread T66 (Renderer) here:
    #0 0x55cd33839a69 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x7fc6bf8c8683 in Texture::allocate(bool, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:492:32
    #2 0x7fc6bf8b16bf in set_tex_storage(Texture&, unsigned int, int, int, void*, int, int, int) /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1678:5
    #3 0x7fc6bf8b117e in TexStorage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1692:3
    #4 0x7fc6bf8b2339 in TexImage2D /builds/worker/checkouts/gecko/gfx/wr/swgl/src/gl.cc:1780:3
    #5 0x7fc6bdde961a in _$LT$swgl..swgl_fns..Context$u20$as$u20$gleam..gl..Gl$GT$::tex_image_2d::h3675c9495034dfdf /builds/worker/checkouts/gecko/gfx/wr/swgl/src/swgl_fns.rs:995:13
    #6 0x7fc6bec5d5e6 in webrender::device::gl::Device::create_texture::he80222307edf0435 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/device/gl.rs:2482:13
    #7 0x7fc6bed30e24 in webrender::renderer::Renderer::update_texture_cache::_$u7b$$u7b$closure$u7d$$u7d$::hf5224d28cb3e3a4f /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2443:29
    #8 0x7fc6bed30e24 in core::option::Option$LT$T$GT$::unwrap_or_else::hbf783190e9605207 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:427:21
    #9 0x7fc6bed30e24 in webrender::renderer::Renderer::update_texture_cache::h1a73318d9702f9fc /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2442:43
    #10 0x7fc6bed4c505 in webrender::renderer::Renderer::render_impl::h05e0a812274e4fa6 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2119:13
    #11 0x7fc6bed6de79 in webrender::renderer::Renderer::render::h510b6ab158a5e145 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1894:30
    #12 0x7fc6befe3eef in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:636:11
    #13 0x7fc6b0513c7e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #14 0x7fc6b05123af in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:486:31
    #15 0x7fc6b0511531 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:341:3
    #16 0x7fc6b05298c6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #17 0x7fc6b05298c6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #18 0x7fc6b05298c6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #19 0x7fc6ae7c7dd7 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #20 0x7fc6ae7c8b3e in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #21 0x7fc6ae7c93db in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #22 0x7fc6ae7ca6d6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #23 0x7fc6ae7c7981 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #24 0x7fc6ae7c7981 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #25 0x7fc6ae7c7981 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3

Thread T66 (Renderer) created by T0 here:
    #0 0x55cd338241ba in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7fc6ae7d30ec in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7fc6ae7d30ec in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7fc6ae7e482d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7fc6b050e181 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92:16
    #5 0x7fc6b027d8e9 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1324:7
    #6 0x7fc6b0278ee6 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:964:3
    #7 0x7fc6b027783b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:480:5
    #8 0x7fc6b4eca5bc in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1781:25
    #9 0x7fc6ad6b9591 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7fc6af5ed2ea in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #11 0x7fc6af5ed2ea in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7fc6af5ed2ea in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7fc6af5f2cd3 in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1460:12
    #14 0x7fc6af5f2cd3 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7fc6b8c745f4 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
    #16 0x7fc6b8c745f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
    #17 0x7fc6b8c76419 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #18 0x7fc6b8c7669b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #19 0x7fc6b8c77c7b in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:724:10
    #20 0x7fc6b9173acd in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2174:12
    #21 0x7fc6b9173acd in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2202:12
    #22 0x7fc6b9173acd in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2348:14
    #23 0x7fc6b9173acd in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2379:10
    #24 0x7fc6b8c62589 in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7fc6b8c62589 in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:453:10
    #26 0x7fc6b8c62589 in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:560:10
    #27 0x7fc6b8c62589 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3055:14
    #28 0x7fc6b8c4422e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
    #29 0x7fc6b8c74733 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
    #30 0x7fc6b8c76419 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #31 0x7fc6b8c7669b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #32 0x7fc6b94e3a30 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2767:10
    #33 0x7fc6af5e0011 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
    #34 0x7fc6ad6baee0 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7fc6ad6b9c7a in SharedStub (/home/twsmith/workspace/browsers/m-c-20210416155149-fuzzing-asan-opt/libxul.so+0x509ac7a)
    #36 0x7fc6ad61a3a8 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
    #37 0x7fc6b8a3c8b2 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:977:11
    #38 0x7fc6b8a18169 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5098:18
    #39 0x7fc6b8a1b346 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5539:8
    #40 0x7fc6b8a1c123 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5598:21
    #41 0x55cd3386c902 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:220:22
    #42 0x55cd3386c902 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:347:16
    #43 0x7fc6d4ab6bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
Attached file prefs.js

A Pernosco session is available here: https://pernos.co/debug/hH_FkZiAIWsukwA4iTKraA/index.html

Attached file Bug 1705836 - Add test

Depends on D112444

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED

This is just another expression of bug 1701975. It can only at best cause it to sample a couple bytes in front of the allocated texture's heap memory, but no further than that, and was regressed by bug 1678783.

Regression only affects nightly, and fix is confirmed by Tyson.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210416155149-a62c94365ebb.
The bug appears to have been introduced in the following build range:

Start: 7552f5acc03b5fd126d584a4fa8b324afbf1a471 (20210406094706)
End: dcc9ca0ad46eea95eacc9071ba55015a8803e224 (20210406075638)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=7552f5acc03b5fd126d584a4fa8b324afbf1a471&tochange=dcc9ca0ad46eea95eacc9071ba55015a8803e224

Whiteboard: [bugmon:bisected,confirmed]

Check for negative sample bounds r=tsmith,kvark
https://hg.mozilla.org/integration/autoland/rev/3c2dc2a4800277b5af54b1bca558fd486a01c828
https://hg.mozilla.org/mozilla-central/rev/3c2dc2a48002

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210417214426-60929718b9c0.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox89: fixedverified
Keywords: bugmon

:lsalzman, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(lsalzman)
Flags: needinfo?(lsalzman)
Regressed by: sw-wr-perf-linear-repeat
Has Regression Range: --- → yes
Keywords: regression
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: