[Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read_all

From:	Bastiaan Jacques
Subject:	[Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read_all_swf()
Date:	Wed, 04 Feb 2015 23:18:08 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

Update of bug #42420 (project gnash):

                Severity:              3 - Normal => 4 - Important          
                 Summary: potential data races from
SWFMovieDefinition::read_all_swf() => data races from
SWFMovieDefinition::read_all_swf()

    _______________________________________________________

Follow-up Comment #10:

Asan reports the following use-after-free after playing the attached PDF for a
few seconds.


==24477==ERROR: AddressSanitizer: heap-use-after-free on address
0x619000009688 at pc 0x7fbac034c593 bp 0x7fffa868ec00 sp 0x7fffa868ebf8
READ of size 8 at 0x619000009688 thread T0
    #0 0x7fbac034c592 in
boost::intrusive_ptr<gnash::SWF::ControlTag>::operator->() const
/usr/include/boost/smart_ptr/intrusive_ptr.hpp:162:9
    #1 0x7fbac0343a42 in gnash::MovieClip::executeFrameTags(unsigned long,
gnash::DisplayList&, int) /home/bastiaan/gnash/libcore/MovieClip.cpp:1059:17
    #2 0x7fbac03432b5 in gnash::MovieClip::advance()
/home/bastiaan/gnash/libcore/MovieClip.cpp:940:17
    #3 0x7fbac02f0805 in gnash::SWFMovie::advance()
/home/bastiaan/gnash/libcore/SWFMovie.cpp:82:5
    #4 0x7fbac02fabd7 in gnash::movie_root::advanceLiveChars()
/home/bastiaan/gnash/libcore/movie_root.cpp:2061:9
    #5 0x7fbac02fa225 in gnash::movie_root::advanceMovie()
/home/bastiaan/gnash/libcore/movie_root.cpp:968:5
    #6 0x7fbac02f9e9a in gnash::movie_root::advance()
/home/bastiaan/gnash/libcore/movie_root.cpp:933:17
    #7 0x7fbac0faeeaf in gnash::Gui::advanceMovie(bool)
/home/bastiaan/gnash/gui/gui.cpp:954:27
    #8 0x7fbac0fe4769 in gnash::NullGui::run()
/home/bastiaan/gnash/gui/NullGui.cpp:44:5
    #9 0x7fbac0fcad42 in gnash::Player::run(int, char**, std::string const&,
std::string const&) /home/bastiaan/gnash/gui/Player.cpp:664:5
    #10 0x7fbac0f5d14c in playFile(gnash::Player&, int, char**, std::string
const&) /home/bastiaan/gnash/gui/gnash.cpp:92:5
    #11 0x7fbac0f647c1 in void std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string
const&)>::__call<void, std::string&, 0ul, 1ul, 2ul,
3ul>(std::tuple<std::string&>&&, std::_Index_tuple<0ul, 1ul, 2ul, 3ul>)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/functional:1263:11
    #12 0x7fbac0f64176 in void std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string
const&)>::operator()<std::string&, void>(std::string&)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/functional:1321:11
    #13 0x7fbac0f63c12 in std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string const&)>
std::for_each<__gnu_cxx::__normal_iterator<std::string*,
std::vector<std::string, std::allocator<std::string> > >, std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string const&)>
>(__gnu_cxx::__normal_iterator<std::string*, std::vector<std::string,
std::allocator<std::string> > >, __gnu_cxx::__normal_iterator<std::string*,
std::vector<std::string, std::allocator<std::string> > >, std::_Bind<void
(*(std::reference_wrapper<gnash::Player>, int, char**,
std::_Placeholder<1>))(gnash::Player&, int, char**, std::string const&)>)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/bits/stl_algo.h:3755:2
    #14 0x7fbac0f5d885 in main /home/bastiaan/gnash/gui/gnash.cpp:175:9
    #15 0x7fbabca43fdf in __libc_start_main (/lib64/libc.so.6+0x3629e1ffdf)
    #16 0x7fbac0f5cf7c in _start
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0xf2f7c)

0x619000009688 is located 8 bytes inside of 1024-byte region
[0x619000009680,0x619000009a80)
freed by thread T1 here:
    #0 0x7fbac0ed85ab in operator delete(void*)
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0x6e5ab)
    #1 0x7fbac05a06a2 in void
std::vector<boost::intrusive_ptr<gnash::SWF::ControlTag>,
std::allocator<boost::intrusive_ptr<gnash::SWF::ControlTag> >
>::_M_emplace_back_aux<boost::intrusive_ptr<gnash::SWF::ControlTag>
const&>(boost::intrusive_ptr<gnash::SWF::ControlTag> const&)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/bits/vector.tcc:438:2
    #2 0x7fbac058ca71 in
gnash::SWFMovieDefinition::addControlTag(boost::intrusive_ptr<gnash::SWF::ControlTag>)
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.h:274:9
    #3 0x7fbac0586387 in gnash::SWFMovieDefinition::addDisplayObject(unsigned
short, gnash::SWF::DefinitionTag*)
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.cpp:163:5
    #4 0x7fbac05802fd in gnash::SWFParser::read(long)
/home/bastiaan/gnash/libcore/parser/SWFParser.cpp:96:17
    #5 0x7fbac0585738 in gnash::SWFMovieDefinition::read_all_swf()
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.cpp:467:18
    #6 0x7fbabd0b2d9f (/lib64/libstdc++.so.6+0x3b79ebad9f)

previously allocated by thread T1 here:
    #0 0x7fbac0ed806b in operator new(unsigned long)
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0x6e06b)
    #1 0x7fbac05a05b5 in void
std::vector<boost::intrusive_ptr<gnash::SWF::ControlTag>,
std::allocator<boost::intrusive_ptr<gnash::SWF::ControlTag> >
>::_M_emplace_back_aux<boost::intrusive_ptr<gnash::SWF::ControlTag>
const&>(boost::intrusive_ptr<gnash::SWF::ControlTag> const&)
/bin/../lib/gcc/x86_64-redhat-linux/4.9.2/../../../../include/c++/4.9.2/bits/vector.tcc:412:22
    #2 0x7fbac058ca71 in
gnash::SWFMovieDefinition::addControlTag(boost::intrusive_ptr<gnash::SWF::ControlTag>)
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.h:274:9
    #3 0x7fbac03693f9 in
gnash::SWF::DoInitActionTag::loader(gnash::SWFStream&, gnash::SWF::TagType,
gnash::movie_definition&, gnash::RunResources const&)
/home/bastiaan/gnash/libcore/swf/DoInitActionTag.h:96:9
    #4 0x7fbac05802fd in gnash::SWFParser::read(long)
/home/bastiaan/gnash/libcore/parser/SWFParser.cpp:96:17
    #5 0x7fbac0585738 in gnash::SWFMovieDefinition::read_all_swf()
/home/bastiaan/gnash/libcore/parser/SWFMovieDefinition.cpp:467:18
    #6 0x7fbabd0b2d9f (/lib64/libstdc++.so.6+0x3b79ebad9f)

Thread T1 created by T0 here:
    #0 0x7fbac0f2753f in pthread_create
(/home/bastiaan/obj-gnash-clang-sanitize/gui/.libs/lt-gtk-gnash+0xbd53f)
    #1 0x7fbabd0b2ed8 in
std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>)
(/lib64/libstdc++.so.6+0x3b79ebaed8)

SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/boost/smart_ptr/intrusive_ptr.hpp:162
boost::intrusive_ptr<gnash::SWF::ControlTag>::operator->() const
Shadow bytes around the buggy address:
  0x0c327fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff92a0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c327fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff92d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff92e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==24477==ABORTING


So this clearly shows data deleted by the thread running read_all_swf() being
accessed by another thread.

(file #32996)
    _______________________________________________________

Additional Item Attachment:

File name: googlecrap.swf                 Size:64 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?42420>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [bug #42420] data races from SWFMovieDefinition::read_all_swf(), Bastiaan Jacques <=

Prev by Date: [Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-2181-g84f8bfd
Next by Date: [Gnash-commit] [bug #42221] Build fails with _GLIBCXX_DEBUG=1 defined
Previous by thread: [Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-2181-g84f8bfd
Next by thread: [Gnash-commit] [bug #42221] Build fails with _GLIBCXX_DEBUG=1 defined
Index(es):
- Date
- Thread