1134560 - (CVE-2015-0804) Type confusion in HTMLSourceElement::BindToTree

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Nils]

Attachment: testcase

When binding a <source> element to a tree the functions checks for any siblings of the type <img>. It fails to validate the namespace and only checks for the tag name:

  if (aParent && aParent->IsNodeOfType(nsINode::eMEDIA)) {
    HTMLMediaElement* media = static_cast<HTMLMediaElement*>(aParent);
    media->NotifyAddedSource();
  } else if (aParent && aParent->Tag() == nsGkAtoms::picture) {
    // Find any img siblings after this <source> and notify them
    nsCOMPtr<nsINode> sibling = AsContent();
    while ( (sibling = sibling->GetNextSibling()) ) {
      if (sibling->Tag() == nsGkAtoms::img) {
        HTMLImageElement *img = static_cast<HTMLImageElement*>(sibling.get());
        img->PictureSourceAdded(AsContent());
      }
    }
  }

  This can result in a type confusion. See attached testcase which demonstrates the issue. ASan detects this issue as a use-after-free (output attached). This vulnerability can also be triggered on the stable release version of Firefox without <picture> being enabled as the check in the code only validates the tag name. The testcase on crashes on Windows accessing on mapped memory during garbage collection.

Comment 1

[Nils]

Attachment: asan.txt

Comment 2

[Robert Longson [:longsonr]]

patch in bug 1134561 fixes this too.