Closed
Bug 1167320
Opened 9 years ago
Closed 9 years ago
DataSourceSurfaceD2D1::Map using uninitialized memory
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1167356
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | wontfix |
| firefox39 | + | fixed |
| firefox38.0.5 | --- | wontfix |
| firefox40 | + | fixed |
| firefox41 | + | fixed |
| firefox-esr31 | 39+ | fixed |
| firefox-esr38 | 39+ | fixed |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-master | --- | unaffected |
People
(Reporter: q1, Assigned: acomminos)
References
Details
(Keywords: csectype-uninitialized, sec-high, Whiteboard: [adv-main39-][adv-esr38.1-][adv-esr31.8-])
Attachments
(1 file)
|
1.29 KB,
patch
|
bas.schouten
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20150305021524
Steps to reproduce:
In Firefox 38.0.1, DataSourceSurfaceD2D1::Map uses uninitialized memory at gfx\2d\SourceSurfaceD2D1.cpp lines 186 and succeeding lines.
The problem is that DataSourceSurfaceD2D1::Map does not check the return value from the Windows function ID2D1Bitmap1::Map at line 185, thus (on failure) leaving untouched whatever was contained in the uninitialized variable map
177: D2D1_MAP_OPTIONS options;
178: if (aMapType == MapType::READ) {
179: options = D2D1_MAP_OPTIONS_READ;
180: } else {
181: MOZ_CRASH("No support for Write maps on D2D1 DataSourceSurfaces yet!");
182: }
183:
184: D2D1_MAPPED_RECT map;
185: mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map);
186: aMappedSurface->mData = map.bits;
187: aMappedSurface->mStride = map.pitch;
188:
189: mIsMapped = !!aMappedSurface->mData;
190: return mIsMapped;
Since map can contain anything, this bug could make it possible to read from anywhere in Firefox's address space. This might potentially cause one session to read (and possibly use and/or display) data from a different session. Also, if someone adds support for write maps, this bug could allow data to be *written* to anywhere in Firefox's address space.
There also appears to be a similar bug in DataSourceSurfaceD2D1::EnsureMapped() at gfx\2d\SourceSurfaceD2D1.cpp line 218.
|
||
Updated•9 years ago
|
Component: Untriaged → Graphics
Flags: needinfo?(bas)
Product: Firefox → Core
We've had Andrew look at similar issues (e.g., bug 1167393)
|
Assignee | |
Comment 2•9 years ago
|
||
Attachment #8610769 -
Flags: review?(bas)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8610769 [details] [diff] [review] Check mapping results in SourceSurfaceD2D1. Review of attachment 8610769 [details] [diff] [review]: ----------------------------------------------------------------- Obviously no issues with this, did anyone check if Map does or doesn't null out the data pointer if it returns an error?
Attachment #8610769 -
Flags: review?(bas) → review+
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → unaffected
status-firefox38:
--- → wontfix
status-firefox38.0.5:
--- → wontfix
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox-esr31:
--- → affected
status-firefox-esr38:
--- → affected
tracking-firefox39:
--- → +
tracking-firefox40:
--- → +
tracking-firefox41:
--- → +
tracking-firefox-esr31:
--- → 39+
tracking-firefox-esr38:
--- → 39+
Keywords: csectype-uninitialized
|
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Comment 4•9 years ago
|
||
Does this need to land or is the fix still in progress? Since this is sec-high I figure you may want to uplift it to beta once it's ready.
Flags: needinfo?(bas)
Flags: needinfo?(acomminos)
|
||
Comment 5•9 years ago
|
||
This needs sec-approval to land.
|
|
Assignee | |
Comment 6•9 years ago
|
||
Fixes for DataSourceSurface::Map related bugs are handled in my patch for bug 1167356.
Flags: needinfo?(acomminos)
|
|
||
Comment 7•9 years ago
|
||
So, is this fixed ? A dupe of 1167356? Or is there still work to do here for 39?
Flags: needinfo?(acomminos)
|
|
Assignee | |
Comment 8•9 years ago
|
||
As per Daniel's suggestion, I've corrected all map related issues in 1167356.
Flags: needinfo?(acomminos)
|
|
Assignee | |
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bas)
Resolution: --- → DUPLICATE
Since the original bug 1167356 is already fixed and uplifted in Beta, Aurora, moz-central etc., updating status-firefoxN to "fixed".
|
|
||
Updated•9 years ago
|
Whiteboard: [adv-main39-][adv-esr38.1-][adv-esr31.8-]
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•