ubuntu-webapps-bugs team mailing list archive
-
ubuntu-webapps-bugs team
-
Mailing list archive
-
Message #02584
[Bug 1442398] [NEW] Out of bounds read in oxide::CompositorOutputSurfaceGL::DiscardBuffer
*** This bug is a security vulnerability ***
Public security bug reported:
I'm seeing errors like this in valgrind:
==6299== Invalid read of size 4
==6299== at 0x825ACAD: gpu::gles2::GLES2Implementation::DeleteTexturesHelper(int, unsigned int const*) (gles2_implementation.cc:3371)
==6299== by 0x72B1349: oxide::CompositorOutputSurfaceGL::DiscardBuffer(oxide::CompositorOutputSurfaceGL::BufferData*) (oxide_compositor_output_surface_gl.cc:190)
==6299== by 0x72B13AF: oxide::CompositorOutputSurfaceGL::DiscardBackbuffer() [clone .part.14] (oxide_compositor_output_surface_gl.cc:92)
==6299== by 0x72B181F: DiscardBackbuffer (stl_construct.h:102)
==6299== by 0x72B181F: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:205)
==6299== by 0x72B1838: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:211)
==6299== by 0x7C2E002: operator() (scoped_ptr.h:128)
==6299== by 0x7C2E002: ~scoped_ptr_impl (scoped_ptr.h:222)
==6299== by 0x7C2E002: ~scoped_ptr (scoped_ptr.h:312)
==6299== by 0x7C2E002: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:254)
==6299== by 0x7C2E258: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:279)
==6299== by 0x7C4A811: operator() (scoped_ptr.h:128)
==6299== by 0x7C4A811: reset (scoped_ptr.h:248)
==6299== by 0x7C4A811: reset (scoped_ptr.h:377)
==6299== by 0x7C4A811: operator= (scoped_ptr.h:371)
==6299== by 0x7C4A811: cc::ThreadProxy::LayerTreeHostClosedOnImplThread(cc::CompletionEvent*) (thread_proxy.cc:1263)
==6299== by 0x72FFA88: Run (callback.h:396)
==6299== by 0x72FFA88: base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) (task_annotator.cc:63)
==6299== by 0x7321583: base::MessageLoop::RunTask(base::PendingTask const&) (message_loop.cc:445)
==6299== by 0x7321860: base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) (message_loop.cc:454)
==6299== by 0x7321D5A: base::MessageLoop::DoWork() (message_loop.cc:566)
==6299== by 0x73223B8: base::MessagePumpDefault::Run(base::MessagePump::Delegate*) (message_pump_default.cc:32)
==6299== by 0x73347D7: base::RunLoop::Run() (run_loop.cc:55)
==6299== by 0x731E594: base::MessageLoop::Run() (message_loop.cc:303)
==6299== by 0x734E4E4: Run (thread.cc:185)
==6299== by 0x734E4E4: base::Thread::ThreadMain() (thread.cc:239)
==6299== by 0x734ACFE: base::(anonymous namespace)::ThreadFunc(void*) (platform_thread_posix.cc:77)
==6299== by 0xBC400A4: start_thread (pthread_create.c:309)
==6299== by 0xB96DCFC: clone (clone.S:111)
==6299== Address 0x24da88a0 is 400 bytes inside a block of size 480 free'd
==6299== at 0x4C2C2E0: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6299== by 0x72B13E0: deallocate (new_allocator.h:110)
==6299== by 0x72B13E0: _M_deallocate_node (stl_deque.h:544)
==6299== by 0x72B13E0: _M_pop_front_aux (deque.tcc:528)
==6299== by 0x72B13E0: pop_front (stl_deque.h:1438)
==6299== by 0x72B13E0: pop (stl_queue.h:244)
==6299== by 0x72B13E0: oxide::CompositorOutputSurfaceGL::DiscardBackbuffer() [clone .part.14] (oxide_compositor_output_surface_gl.cc:91)
==6299== by 0x72B181F: DiscardBackbuffer (stl_construct.h:102)
==6299== by 0x72B181F: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:205)
==6299== by 0x72B1838: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:211)
==6299== by 0x7C2E002: operator() (scoped_ptr.h:128)
==6299== by 0x7C2E002: ~scoped_ptr_impl (scoped_ptr.h:222)
==6299== by 0x7C2E002: ~scoped_ptr (scoped_ptr.h:312)
==6299== by 0x7C2E002: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:254)
==6299== by 0x7C2E258: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:279)
==6299== by 0x7C4A811: operator() (scoped_ptr.h:128)
==6299== by 0x7C4A811: reset (scoped_ptr.h:248)
==6299== by 0x7C4A811: reset (scoped_ptr.h:377)
==6299== by 0x7C4A811: operator= (scoped_ptr.h:371)
==6299== by 0x7C4A811: cc::ThreadProxy::LayerTreeHostClosedOnImplThread(cc::CompletionEvent*) (thread_proxy.cc:1263)
==6299== by 0x72FFA88: Run (callback.h:396)
==6299== by 0x72FFA88: base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) (task_annotator.cc:63)
==6299== by 0x7321583: base::MessageLoop::RunTask(base::PendingTask const&) (message_loop.cc:445)
==6299== by 0x7321860: base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) (message_loop.cc:454)
==6299== by 0x7321D5A: base::MessageLoop::DoWork() (message_loop.cc:566)
==6299== by 0x73223B8: base::MessagePumpDefault::Run(base::MessagePump::Delegate*) (message_pump_default.cc:32)
==6299== by 0x73347D7: base::RunLoop::Run() (run_loop.cc:55)
==6299== by 0x731E594: base::MessageLoop::Run() (message_loop.cc:303)
==6299== by 0x734E4E4: Run (thread.cc:185)
==6299== by 0x734E4E4: base::Thread::ThreadMain() (thread.cc:239)
==6299== by 0x734ACFE: base::(anonymous namespace)::ThreadFunc(void*) (platform_thread_posix.cc:77)
==6299== by 0xBC400A4: start_thread (pthread_create.c:309)
==6299== by 0xB96DCFC: clone (clone.S:111)
This looks like fallout from http://bazaar.launchpad.net/~oxide-
developers/oxide/oxide.trunk/revision/1017, which is only on trunk
** Affects: oxide
Importance: High
Assignee: Chris Coulson (chrisccoulson)
Status: Fix Released
** Changed in: oxide
Importance: Undecided => High
** Changed in: oxide
Status: New => Triaged
** Changed in: oxide
Assignee: (unassigned) => Chris Coulson (chrisccoulson)
** Changed in: oxide
Milestone: None => branch-1.7
** Changed in: oxide
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to Oxide.
https://bugs.launchpad.net/bugs/1442398
Title:
Out of bounds read in oxide::CompositorOutputSurfaceGL::DiscardBuffer
Status in Oxide Webview:
Fix Released
Bug description:
I'm seeing errors like this in valgrind:
==6299== Invalid read of size 4
==6299== at 0x825ACAD: gpu::gles2::GLES2Implementation::DeleteTexturesHelper(int, unsigned int const*) (gles2_implementation.cc:3371)
==6299== by 0x72B1349: oxide::CompositorOutputSurfaceGL::DiscardBuffer(oxide::CompositorOutputSurfaceGL::BufferData*) (oxide_compositor_output_surface_gl.cc:190)
==6299== by 0x72B13AF: oxide::CompositorOutputSurfaceGL::DiscardBackbuffer() [clone .part.14] (oxide_compositor_output_surface_gl.cc:92)
==6299== by 0x72B181F: DiscardBackbuffer (stl_construct.h:102)
==6299== by 0x72B181F: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:205)
==6299== by 0x72B1838: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:211)
==6299== by 0x7C2E002: operator() (scoped_ptr.h:128)
==6299== by 0x7C2E002: ~scoped_ptr_impl (scoped_ptr.h:222)
==6299== by 0x7C2E002: ~scoped_ptr (scoped_ptr.h:312)
==6299== by 0x7C2E002: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:254)
==6299== by 0x7C2E258: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:279)
==6299== by 0x7C4A811: operator() (scoped_ptr.h:128)
==6299== by 0x7C4A811: reset (scoped_ptr.h:248)
==6299== by 0x7C4A811: reset (scoped_ptr.h:377)
==6299== by 0x7C4A811: operator= (scoped_ptr.h:371)
==6299== by 0x7C4A811: cc::ThreadProxy::LayerTreeHostClosedOnImplThread(cc::CompletionEvent*) (thread_proxy.cc:1263)
==6299== by 0x72FFA88: Run (callback.h:396)
==6299== by 0x72FFA88: base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) (task_annotator.cc:63)
==6299== by 0x7321583: base::MessageLoop::RunTask(base::PendingTask const&) (message_loop.cc:445)
==6299== by 0x7321860: base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) (message_loop.cc:454)
==6299== by 0x7321D5A: base::MessageLoop::DoWork() (message_loop.cc:566)
==6299== by 0x73223B8: base::MessagePumpDefault::Run(base::MessagePump::Delegate*) (message_pump_default.cc:32)
==6299== by 0x73347D7: base::RunLoop::Run() (run_loop.cc:55)
==6299== by 0x731E594: base::MessageLoop::Run() (message_loop.cc:303)
==6299== by 0x734E4E4: Run (thread.cc:185)
==6299== by 0x734E4E4: base::Thread::ThreadMain() (thread.cc:239)
==6299== by 0x734ACFE: base::(anonymous namespace)::ThreadFunc(void*) (platform_thread_posix.cc:77)
==6299== by 0xBC400A4: start_thread (pthread_create.c:309)
==6299== by 0xB96DCFC: clone (clone.S:111)
==6299== Address 0x24da88a0 is 400 bytes inside a block of size 480 free'd
==6299== at 0x4C2C2E0: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6299== by 0x72B13E0: deallocate (new_allocator.h:110)
==6299== by 0x72B13E0: _M_deallocate_node (stl_deque.h:544)
==6299== by 0x72B13E0: _M_pop_front_aux (deque.tcc:528)
==6299== by 0x72B13E0: pop_front (stl_deque.h:1438)
==6299== by 0x72B13E0: pop (stl_queue.h:244)
==6299== by 0x72B13E0: oxide::CompositorOutputSurfaceGL::DiscardBackbuffer() [clone .part.14] (oxide_compositor_output_surface_gl.cc:91)
==6299== by 0x72B181F: DiscardBackbuffer (stl_construct.h:102)
==6299== by 0x72B181F: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:205)
==6299== by 0x72B1838: oxide::CompositorOutputSurfaceGL::~CompositorOutputSurfaceGL() (oxide_compositor_output_surface_gl.cc:211)
==6299== by 0x7C2E002: operator() (scoped_ptr.h:128)
==6299== by 0x7C2E002: ~scoped_ptr_impl (scoped_ptr.h:222)
==6299== by 0x7C2E002: ~scoped_ptr (scoped_ptr.h:312)
==6299== by 0x7C2E002: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:254)
==6299== by 0x7C2E258: cc::LayerTreeHostImpl::~LayerTreeHostImpl() (layer_tree_host_impl.cc:279)
==6299== by 0x7C4A811: operator() (scoped_ptr.h:128)
==6299== by 0x7C4A811: reset (scoped_ptr.h:248)
==6299== by 0x7C4A811: reset (scoped_ptr.h:377)
==6299== by 0x7C4A811: operator= (scoped_ptr.h:371)
==6299== by 0x7C4A811: cc::ThreadProxy::LayerTreeHostClosedOnImplThread(cc::CompletionEvent*) (thread_proxy.cc:1263)
==6299== by 0x72FFA88: Run (callback.h:396)
==6299== by 0x72FFA88: base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) (task_annotator.cc:63)
==6299== by 0x7321583: base::MessageLoop::RunTask(base::PendingTask const&) (message_loop.cc:445)
==6299== by 0x7321860: base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) (message_loop.cc:454)
==6299== by 0x7321D5A: base::MessageLoop::DoWork() (message_loop.cc:566)
==6299== by 0x73223B8: base::MessagePumpDefault::Run(base::MessagePump::Delegate*) (message_pump_default.cc:32)
==6299== by 0x73347D7: base::RunLoop::Run() (run_loop.cc:55)
==6299== by 0x731E594: base::MessageLoop::Run() (message_loop.cc:303)
==6299== by 0x734E4E4: Run (thread.cc:185)
==6299== by 0x734E4E4: base::Thread::ThreadMain() (thread.cc:239)
==6299== by 0x734ACFE: base::(anonymous namespace)::ThreadFunc(void*) (platform_thread_posix.cc:77)
==6299== by 0xBC400A4: start_thread (pthread_create.c:309)
==6299== by 0xB96DCFC: clone (clone.S:111)
This looks like fallout from http://bazaar.launchpad.net/~oxide-
developers/oxide/oxide.trunk/revision/1017, which is only on trunk
To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1442398/+subscriptions
Follow ups
References