[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read_all
From: |
Bastiaan Jacques |
Subject: |
[Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read_all_swf() |
Date: |
Wed, 04 Feb 2015 23:18:08 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 |
Update of bug #42420 (project gnash):
Severity: 3 - Normal => 4 - Important
Summary: potential data races from
SWFMovieDefinition::read_all_swf() => data races from
SWFMovieDefinition::read_all_swf()
_______________________________________________________
Follow-up Comment #10:
Asan reports the following use-after-free after playing the attached PDF for a
few seconds.
==24477==ERROR: AddressSanitizer: heap-use-after-free on address
0x619000009688 at pc 0x7fbac034c593 bp 0x7fffa868ec00 sp 0x7fffa868ebf8
READ of size 8 at 0x619000009688 thread T0
#0 0x7fbac034c592 in
boost::intrusive_ptr<gnash::SWF::ControlTag>::operator->() const
/usr/include/boost/smart_ptr/intrusive_ptr.hpp:162:9
#1 0x7fbac0343a42 in gnash::MovieClip::executeFrameTags(unsigned long,
gnash::DisplayList&, int) /home/bastiaan/gnash/libcore/MovieClip.cpp:1059:17
#2 0x7fbac03432b5 in gnash::MovieClip::advance()
/home/bastiaan/gnash/libcore/MovieClip.cpp:940:17
#3 0x7fbac02f0805 in gnash::SWFMovie::advance()
/home/bastiaan/gnash/libcore/SWFMovie.cpp:82:5
#4 0x7fbac02fabd7 in gnash::movie_root::advanceLiveChars()
/home/bastiaan/gnash/libcore/movie_root.cpp:2061:9
#5 0x7fbac02fa225 in gnash::movie_root::advanceMovie()
/home/bastiaan/gnash/libcore/movie_root.cpp:968:5
#6 0x7fbac02f9e9a in gnash::movie_root::advance()
/home/bastiaan/gnash/libcore/movie_root.cpp:933:17
#7 0x7fbac0faeeaf in gnash::Gui::advanceMovie(bool)
/home/bastiaan/gnash/gui/gui.cpp:954:27
#8 0x7fbac0fe4769 in gnash::NullGui::run()
/home/bastiaan/gnash/gui/NullGui.cpp:44:5
#9 0x7fbac0fcad42 in gnash::Player::run(int, char**, std::string const&,
std::string const&) /home/bastiaan/gnash/gui/Player.cpp:664:5
#10 0x7fbac0f5d14c in playFile(gnash::Player&, int, char**, std::string
const&) /home/bastiaan/gnash/gui/gnash.cpp:92:5
#11 0x7fbac0f647c1 in void std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string
const&)>::__call<void, std::string&, 0ul, 1ul, 2ul,
3ul>(std::tuple<std::string&>&&, std::_Index_tuple<0ul, 1ul, 2ul, 3ul>)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/functional:1263:11
#12 0x7fbac0f64176 in void std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string
const&)>::operator()<std::string&, void>(std::string&)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/functional:1321:11
#13 0x7fbac0f63c12 in std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string const&)>
std::for_each<__gnu_cxx::__normal_iterator<std::string*,
std::vector<std::string, std::allocator<std::string> > >, std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string const&)>
>(__gnu_cxx::__normal_iterator<std::string*, std::vector<std::string,
std::allocator<std::string> > >, __gnu_cxx::__normal_iterator<std::string*,
std::vector<std::string, std::allocator<std::string> > >, std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string const&)>)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/bits/stl_algo.h:3755:2
#14 0x7fbac0f5d885 in main /home/bastiaan/gnash/gui/gnash.cpp:175:9
#15 0x7fbabca43fdf in __libc_start_main (/lib64/libc.so.6+0x3629e1ffdf)
#16 0x7fbac0f5cf7c in _start
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0xf2f7c)
0x619000009688 is located 8 bytes inside of 1024-byte region
[0x619000009680,0x619000009a80)
freed by thread T1 here:
#0 0x7fbac0ed85ab in operator delete(void*)
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0x6e5ab)
#1 0x7fbac05a06a2 in void
std::vector<boost::intrusive_ptr<gnash::SWF::ControlTag>,
std::allocator<boost::intrusive_ptr<gnash::SWF::ControlTag> >
>::_M_emplace_back_aux<boost::intrusive_ptr<gnash::SWF::ControlTag>
const&>(boost::intrusive_ptr<gnash::SWF::ControlTag> const&)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/bits/vector.tcc:438:2
#2 0x7fbac058ca71 in
gnash::SWFMovieDefinition::addControlTag(boost::intrusive_ptr<gnash::SWF::ControlTag>)
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.h:274:9
#3 0x7fbac0586387 in gnash::SWFMovieDefinition::addDisplayObject(unsigned
short, gnash::SWF::DefinitionTag*)
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.cpp:163:5
#4 0x7fbac05802fd in gnash::SWFParser::read(long)
/home/bastiaan/gnash/libcore/parser/SWFParser.cpp:96:17
#5 0x7fbac0585738 in gnash::SWFMovieDefinition::read_all_swf()
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.cpp:467:18
#6 0x7fbabd0b2d9f (/lib64/libstdc++.so.6+0x3b79ebad9f)
previously allocated by thread T1 here:
#0 0x7fbac0ed806b in operator new(unsigned long)
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0x6e06b)
#1 0x7fbac05a05b5 in void
std::vector<boost::intrusive_ptr<gnash::SWF::ControlTag>,
std::allocator<boost::intrusive_ptr<gnash::SWF::ControlTag> >
>::_M_emplace_back_aux<boost::intrusive_ptr<gnash::SWF::ControlTag>
const&>(boost::intrusive_ptr<gnash::SWF::ControlTag> const&)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/bits/vector.tcc:412:22
#2 0x7fbac058ca71 in
gnash::SWFMovieDefinition::addControlTag(boost::intrusive_ptr<gnash::SWF::ControlTag>)
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.h:274:9
#3 0x7fbac03693f9 in
gnash::SWF::DoInitActionTag::loader(gnash::SWFStream&, gnash::SWF::TagType,
gnash::movie_definition&, gnash::RunResources const&)
/home/bastiaan/gnash/libcore/swf/DoInitActionTag.h:96:9
#4 0x7fbac05802fd in gnash::SWFParser::read(long)
/home/bastiaan/gnash/libcore/parser/SWFParser.cpp:96:17
#5 0x7fbac0585738 in gnash::SWFMovieDefinition::read_all_swf()
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.cpp:467:18
#6 0x7fbabd0b2d9f (/lib64/libstdc++.so.6+0x3b79ebad9f)
Thread T1 created by T0 here:
#0 0x7fbac0f2753f in pthread_create
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0xbd53f)
#1 0x7fbabd0b2ed8 in
std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>)
(/lib64/libstdc++.so.6+0x3b79ebaed8)
SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/boost/smart_ptr/intrusive_ptr.hpp:162
boost::intrusive_ptr<gnash::SWF::ControlTag>::operator->() const
Shadow bytes around the buggy address:
0x0c327fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff92a0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c327fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff92d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff92e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==24477==ABORTING
So this clearly shows data deleted by the thread running read_all_swf() being
accessed by another thread.
(file #32996)
_______________________________________________________
Additional Item Attachment:
File name: googlecrap.swf Size:64 KB
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?42420>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read_all_swf(),
Bastiaan Jacques <=