1684140 - heap-use-after-free in [@ qcms_transform_data]

Reporter

Description

•

4 years ago

Attached image testcase.jpg — Details

Found with m-c 20201223-d6081a1bef2d.

==184503==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000d7ae0 at pc 0x7f9f2b123e46 bp 0x7f9f09047120 sp 0x7f9f09047118
READ of size 8 at 0x6130000d7ae0 thread T26 (TaskCon~read #2)
    #0 0x7f9f2b123e45 in qcms_transform_data src/gfx/qcms/src/transform.rs:1361:5
    #1 0x7f9f1e76c8f0 in mozilla::image::ColorManagementFilter<mozilla::image::SurfaceSink>::DoAdvanceRowFromBuffer(unsigned char const*) src/image/SurfaceFilters.h:162:5
    #2 0x7f9f1e76d559 in AdvanceRow src/image/SurfacePipe.h:125:19
    #3 0x7f9f1e76d559 in mozilla::image::WriteState mozilla::image::SurfaceFilter::WriteUnsafeComputedRow<unsigned int, mozilla::image::DownscalingFilter<mozilla::image::ColorManagementFilter<mozilla::image::SurfaceSink> >::DownscaleInputRow()::'lambda'(unsigned int*, unsigned int)>(mozilla::image::DownscalingFilter<mozilla::image::ColorManagementFilter<mozilla::image::SurfaceSink> >::DownscaleInputRow()::'lambda'(unsigned int*, unsigned int)) src/image/SurfacePipe.h:444:5
    #4 0x7f9f1e76cdab in mozilla::image::DownscalingFilter<mozilla::image::ColorManagementFilter<mozilla::image::SurfaceSink> >::DownscaleInputRow() src/image/DownscalingFilter.h:278:20
    #5 0x7f9f1e76c2b7 in mozilla::image::DownscalingFilter<mozilla::image::ColorManagementFilter<mozilla::image::SurfaceSink> >::DoAdvanceRowFromBuffer(unsigned char const*) src/image/DownscalingFilter.h:241:7
    #6 0x7f9f1e7439d1 in AdvanceRow src/image/SurfacePipe.h:125:19
    #7 0x7f9f1e7439d1 in DoWritePixelBlockToRow<unsigned int, (lambda at src/image/decoders/nsJPEGDecoder.cpp:632:7)> src/image/SurfacePipe.h:552:7
    #8 0x7f9f1e7439d1 in WritePixelBlocks<unsigned int, (lambda at src/image/decoders/nsJPEGDecoder.cpp:632:7)> src/image/SurfacePipe.h:216:23
    #9 0x7f9f1e7439d1 in WritePixelBlocks<unsigned int, (lambda at src/image/decoders/nsJPEGDecoder.cpp:632:7)> src/image/SurfacePipe.h:676:19
    #10 0x7f9f1e7439d1 in mozilla::image::nsJPEGDecoder::OutputScanlines() src/image/decoders/nsJPEGDecoder.cpp:631:23
    #11 0x7f9f1e73f31b in mozilla::image::nsJPEGDecoder::ReadJPEGData(char const*, unsigned long) src/image/decoders/nsJPEGDecoder.cpp:418:17
    #12 0x7f9f1e7dbdc6 in operator() src/image/decoders/nsJPEGDecoder.cpp:186:34
    #13 0x7f9f1e7dbdc6 in mozilla::Maybe<mozilla::Variant<mozilla::image::TerminalState, mozilla::image::Yield> > mozilla::image::StreamingLexer<mozilla::image::nsJPEGDecoder::State, 16ul>::ContinueUnbufferedRead<mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_5>(char const*, unsigned long, unsigned long, mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*)::$_5) src/image/StreamingLexer.h:555:9
    #14 0x7f9f1e73c478 in UnbufferedRead<(lambda at src/image/decoders/nsJPEGDecoder.cpp:183:21)> src/image/StreamingLexer.h:501:12
    #15 0x7f9f1e73c478 in Lex<(lambda at src/image/decoders/nsJPEGDecoder.cpp:183:21)> src/image/StreamingLexer.h:469:26
    #16 0x7f9f1e73c478 in mozilla::image::nsJPEGDecoder::DoDecode(mozilla::image::SourceBufferIterator&, mozilla::image::IResumable*) src/image/decoders/nsJPEGDecoder.cpp:182:17
    #17 0x7f9f1e5d7335 in mozilla::image::Decoder::Decode(mozilla::image::IResumable*) src/image/Decoder.cpp:172:19
    #18 0x7f9f1e5e5cf5 in mozilla::image::DecodedSurfaceProvider::Run() src/image/DecodedSurfaceProvider.cpp:123:34
    #19 0x7f9f1e6139ec in mozilla::image::DecodingTask::Run() src/image/DecodePool.cpp:143:12
    #20 0x7f9f1b3f5a19 in mozilla::TaskController::RunPoolThread() src/xpcom/threads/TaskController.cpp:252:33
    #21 0x7f9f387ce42e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #22 0x7f9f3c0da608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
    #23 0x7f9f3bca3292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6130000d7ae0 is located 352 bytes inside of 368-byte region [0x6130000d7980,0x6130000d7af0)
freed by thread T0 (Web Content) here:
    #0 0x5626dd5a518d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f9f1e2df5d8 in ShutdownCMS() src/gfx/thebes/gfxPlatform.cpp:2303:5
    #2 0x7f9f1e2ea327 in gfxPlatform::Shutdown() src/gfx/thebes/gfxPlatform.cpp:1263:3
    #3 0x7f9f24403b91 in nsLayoutModuleDtor() src/layout/build/nsLayoutModule.cpp:267:3
    #4 0x7f9f1b3d2694 in nsComponentManagerImpl::Shutdown() src/xpcom/components/nsComponentManager.cpp:857:3
    #5 0x7f9f1b49a1e4 in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:731:55
    #6 0x7f9f272807ec in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:212:3
    #7 0x7f9f1c73dbc4 in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
    #8 0x7f9f272818e5 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:737:16
    #9 0x5626dd5d7bdd in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #10 0x5626dd5d8017 in main src/browser/app/nsBrowserApp.cpp:305:18
    #11 0x7f9f3bba80b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 (Web Content) here:
    #0 0x5626dd5a540d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f9f2b1242cf in alloc::alloc::alloc::ha5d8a14cce03bc63 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:84:14
    #2 0x7f9f2b1242cf in alloc::alloc::Global::alloc_impl::h1db8143211b9bb91 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:164:73
    #3 0x7f9f2b1242cf in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..AllocRef$GT$::alloc::h982bde6b3a4ffa5c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:224:9
    #4 0x7f9f2b1242cf in alloc::alloc::exchange_malloc::h7da272848c4b14e1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:314:11
    #5 0x7f9f2b1242cf in alloc::boxed::Box$LT$T$GT$::new::h1ede4892f887b5d4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:178:9
    #6 0x7f9f2b1242cf in qcms::transform::transform_create::h1dce2345fe632407 src/gfx/qcms/src/transform.rs:1172:46
    #7 0x7f9f2b15eecf in qcms_transform_create src/gfx/qcms/src/c_bindings.rs:237:21
    #8 0x7f9f1e2e3f63 in GetCMSBGRATransform src/gfx/thebes/gfxPlatform.cpp:2257:9
    #9 0x7f9f1e2e3f63 in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:1030:3
    #10 0x7f9f1e2e5519 in gfxPlatform::InitChild(mozilla::gfx::ContentDeviceData const&) src/gfx/thebes/gfxPlatform.cpp:524:3
    #11 0x7f9f22b4ae29 in InitGraphicsDeviceData src/dom/ipc/ContentChild.cpp:1207:3
    #12 0x7f9f22b4ae29 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(mozilla::dom::XPCOMInitData&&, mozilla::dom::ipc::StructuredCloneData const&, mozilla::widget::LookAndFeelData&&, nsTArray<mozilla::dom::SystemFontListEntry>&&, mozilla::Maybe<base::FileDescriptor> const&, unsigned long const&, nsTArray<base::FileDescriptor>&&) src/dom/ipc/ContentChild.cpp:626:3
    #13 0x7f9f1c9a87ba in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:11364:56
    #14 0x7f9f1c725b0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
    #15 0x7f9f1c721974 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
    #16 0x7f9f1c723778 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
    #17 0x7f9f1c724398 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
    #18 0x7f9f1b3fd579 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:459:16
    #19 0x7f9f1b3f9f77 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:739:26
    #20 0x7f9f1b3f7eb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:598:15
    #21 0x7f9f1b3f830d in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:382:36
    #22 0x7f9f1b4050f1 in operator() src/xpcom/threads/TaskController.cpp:123:37
    #23 0x7f9f1b4050f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #24 0x7f9f1b42564d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #25 0x7f9f1b43097c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #26 0x7f9f1c72e72f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #27 0x7f9f1c624fc1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #28 0x7f9f1c624fc1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #29 0x7f9f1c624fc1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3

Thread T26 (TaskCon~read #2) created by T15 (ImageIO) here:
    #0 0x5626dd58fe7a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f9f387be6a4 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f9f387af7ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f9f1b3f636d in mozilla::TaskController::InitializeThreadPool() src/xpcom/threads/TaskController.cpp:149:10
    #4 0x7f9f1b3f7632 in mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) src/xpcom/threads/TaskController.cpp:312:7
    #5 0x7f9f1e5d52a2 in mozilla::image::DecodePool::AsyncRun(mozilla::image::IDecodingTask*) src/image/DecodePool.cpp:154:26
    #6 0x7f9f1e63ee48 in mozilla::image::LaunchDecodingTask(mozilla::image::IDecodingTask*, mozilla::image::RasterImage*, unsigned int, bool) src/image/RasterImage.cpp:1181:28
    #7 0x7f9f1e63c7b3 in mozilla::image::RasterImage::DecodeMetadata(unsigned int) src/image/RasterImage.cpp:1305:3
    #8 0x7f9f1e63cc3d in mozilla::image::RasterImage::OnImageDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) src/image/RasterImage.cpp:988:12
    #9 0x7f9f1e6bee14 in imgRequest::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) src/image/imgRequest.cpp:1072:16
    #10 0x7f9f1c0947d5 in mozilla::net::HttpChannelChild::DoOnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) src/netwerk/protocol/http/HttpChannelChild.cpp:794:29
    #11 0x7f9f1c092e3e in mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTString<char> const&) src/netwerk/protocol/http/HttpChannelChild.cpp:695:3
    #12 0x7f9f1c3bbe89 in mozilla::net::ChannelEventQueue::FlushQueue() src/netwerk/ipc/ChannelEventQueue.cpp:90:12
    #13 0x7f9f1bede8b1 in mozilla::net::ChannelEventQueue::MaybeFlushQueue() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:330:5
    #14 0x7f9f1c410f90 in mozilla::net::ChannelEventQueue::CompleteResume() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:309:5
    #15 0x7f9f1c410c47 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() src/netwerk/ipc/ChannelEventQueue.cpp:148:17
    #16 0x7f9f1b4257b5 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #17 0x7f9f1b43097c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #18 0x7f9f1c72fff2 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:332:5
    #19 0x7f9f1c624fc1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #20 0x7f9f1c624fc1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #21 0x7f9f1c624fc1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #22 0x7f9f1b41e818 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:441:10
    #23 0x7f9f387ce42e in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #24 0x7f9f3c0da608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8

Thread T15 (ImageIO) created by T0 (Web Content) here:
    #0 0x5626dd58fe7a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f9f387be6a4 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f9f387af7ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f9f1b4214bb in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:658:8
    #4 0x7f9f1b42ed88 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:641:12
    #5 0x7f9f1b43ae58 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:169:57
    #6 0x7f9f1e5e3176 in NS_NewNamedThread<8> src/xpcom/threads/nsThreadUtils.h:85:10
    #7 0x7f9f1e5e3176 in mozilla::image::DecodePool::DecodePool() src/image/DecodePool.cpp:97:17
    #8 0x7f9f1e5d5020 in mozilla::image::DecodePool::Singleton() src/image/DecodePool.cpp:62:22
    #9 0x7f9f1e5e2eb3 in mozilla::image::DecodePool::Initialize() src/image/DecodePool.cpp:55:3
    #10 0x7f9f1e6f660e in mozilla::image::EnsureModuleInitialized() src/image/build/nsImageModule.cpp:70:3
    #11 0x7f9f1b39d8f2 in CallInitFunc /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:8778:7
    #12 0x7f9f1b39d8f2 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10858:7
    #13 0x7f9f1b3d5c76 in CreateInstance src/xpcom/components/nsComponentManager.cpp:176:46
    #14 0x7f9f1b3d5c76 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1282:17
    #15 0x7f9f1b3d7d59 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1471:10
    #16 0x7f9f1b3ddac9 in CallGetService src/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #17 0x7f9f1b3ddac9 in nsGetServiceByContractID::operator()(nsID const&, void**) const src/xpcom/components/nsComponentManagerUtils.cpp:243:21
    #18 0x7f9f1b25a260 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) src/xpcom/base/nsCOMPtr.cpp:82:7
    #19 0x7f9f1e2e3ffe in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:627:5
    #20 0x7f9f1e2e3ffe in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:1037:34
    #21 0x7f9f1e2e5519 in gfxPlatform::InitChild(mozilla::gfx::ContentDeviceData const&) src/gfx/thebes/gfxPlatform.cpp:524:3
    #22 0x7f9f22b4ae29 in InitGraphicsDeviceData src/dom/ipc/ContentChild.cpp:1207:3
    #23 0x7f9f22b4ae29 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(mozilla::dom::XPCOMInitData&&, mozilla::dom::ipc::StructuredCloneData const&, mozilla::widget::LookAndFeelData&&, nsTArray<mozilla::dom::SystemFontListEntry>&&, mozilla::Maybe<base::FileDescriptor> const&, unsigned long const&, nsTArray<base::FileDescriptor>&&) src/dom/ipc/ContentChild.cpp:626:3
    #24 0x7f9f1c9a87ba in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:11364:56
    #25 0x7f9f1c725b0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
    #26 0x7f9f1c721974 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
    #27 0x7f9f1c723778 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
    #28 0x7f9f1c724398 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
    #29 0x7f9f1b3fd579 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:459:16
    #30 0x7f9f1b3f9f77 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:739:26
    #31 0x7f9f1b3f7eb7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:598:15
    #32 0x7f9f1b3f830d in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:382:36
    #33 0x7f9f1b4050f1 in operator() src/xpcom/threads/TaskController.cpp:123:37
    #34 0x7f9f1b4050f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #35 0x7f9f1b42564d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #36 0x7f9f1b43097c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #37 0x7f9f1c72e72f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #38 0x7f9f1c624fc1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #39 0x7f9f1c624fc1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #40 0x7f9f1c624fc1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #41 0x7f9f23548fe7 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #42 0x7f9f272822ff in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #43 0x7f9f1c624fc1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #44 0x7f9f1c624fc1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #45 0x7f9f1c624fc1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #46 0x7f9f2728189c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #47 0x5626dd5d7bdd in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #48 0x5626dd5d8017 in main src/browser/app/nsBrowserApp.cpp:305:18
    #49 0x7f9f3bba80b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Flags: in-testsuite?

Tyson Smith [:tsmith]

Reporter

Comment 1

•

4 years ago

A Pernosco session is available here: https://pernos.co/debug/rRWr6WIEv-9GRm39yHQbLA/index.html

Andrew Osmond [:aosmond] (he/him)

Comment 2

•

4 years ago

This appears to be a shutdown race. I wonder if this was always there, or was a consequence of the decode thread pool changes made in bug 1672597.

Andrew Osmond [:aosmond] (he/him)

Comment 3

•

4 years ago

Reviewing the changes, I think it was always there. However, the code that uses this path is disabled because we don't color manage untagged / sRGB images to display space by default.

https://searchfox.org/mozilla-central/rev/df9c134aa60ba99cef05acfb0f6733c84a374da6/image/decoders/nsJPEGDecoder.cpp#330

That requires gfx.color_management.mode to be set to 1.

Severity: -- → S3

status-firefox86: affected → disabled

OS: Unspecified → All

Priority: -- → P3

Hardware: Unspecified → All

Jeff Muizelaar [:jrmuizel]

Updated

•

4 years ago

Component: GFX: Color Management → ImageLib

Andrew Osmond [:aosmond] (he/him)

Comment 4

•

4 years ago

Actually this is possible to trigger with the default CMS mode, but not for JPEGs. PNGs use it for images tagged as sRGB, which don't provide a profile:

https://searchfox.org/mozilla-central/rev/df9c134aa60ba99cef05acfb0f6733c84a374da6/image/decoders/nsPNGDecoder.cpp#688

status-firefox86: disabled → affected

BugBot [:suhaib / :marco/ :calixte]

Comment 5

•

4 years ago

The component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.

Priority: P3 → --

Tyson Smith [:tsmith]

Reporter

Updated

•

4 years ago

Keywords: csectype-race, sec-low

Andrew Osmond [:aosmond] (he/him)

Updated

•

4 years ago

Flags: needinfo?(aosmond)

Tyson Smith [:tsmith]

Reporter

Comment 7

•

3 years ago

The attached test case no longer reproduces the issue and it was last seen by fuzzers targeting m-c 20210330-eed530931ca0.

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → WORKSFORME

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: gfx-core-security

Bugzilla

heap-use-after-free in [@ qcms_transform_data]

Categories

(Core :: Graphics: ImageLib, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Updated

Updated

Comment 7

Updated

Attachment

General

Description

File Name

Content Type