Closed
Bug 1299062
Opened 8 years ago
Closed 8 years ago
heap-overflow and potential UAF [@mozilla::dom::CanvasRenderingContext2D::GetImageDataArray]
Categories
(Core :: Graphics: Canvas2D, defect)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | unaffected |
| firefox49 | --- | unaffected |
| firefox-esr45 | --- | unaffected |
| firefox50 | --- | unaffected |
| firefox51 | --- | fixed |
People
(Reporter: tsmith, Assigned: ethlin)
References
(Blocks 1 open bug)
Details
(6 keywords)
Attachments
(5 files)
I have seen this reproduce as both an out of bounds read and a use-after-free.
==8460==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000339c18 at pc 0x7ffac8affce2 bp 0x7ffcf33eaeb0 sp 0x7ffcf33eaea8
READ of size 1 at 0x602000339c18 thread T0
#0 0x7ffac8affce1 in mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(JSContext*, int, int, unsigned int, unsigned int, JSObject**) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5491:19
#1 0x7ffac8afe14f in mozilla::dom::CanvasRenderingContext2D::GetImageData(JSContext*, double, double, double, double, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5368:12
#2 0x7ffac7c4c216 in mozilla::dom::CanvasRenderingContext2DBinding::getImageData(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:4584:55
#3 0x7ffac8a078c0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2812:13
#4 0x7ffaceace6bc in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:235:15Flags: in-testsuite?
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → ethlin
|
|
Assignee | |
Comment 3•8 years ago
|
||
Before using the DrawTarget, we should check if it's valid.
Attachment #8786593 -
Flags: review?(nical.bugzilla)
|
||
Updated•8 years ago
|
Attachment #8786593 -
Flags: review?(nical.bugzilla) → review+
|
|
Assignee | |
Updated•8 years ago
|
Keywords: checkin-needed
|
||
Comment 4•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1065b1b168df
Keywords: checkin-needed
|
|
||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1065b1b168df This probably should have gone through the sec-approval process before landing. What rating should it have? What branches are affected?
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ethlin)
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
|
||
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
|
|
Assignee | |
Comment 6•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #5) > https://hg.mozilla.org/mozilla-central/rev/1065b1b168df > > This probably should have gone through the sec-approval process before > landing. What rating should it have? What branches are affected? Only firefox51 is affected. The bug has a csectype-uaf rating.
Flags: needinfo?(ethlin)
|
||
Updated•8 years ago
|
Keywords: sec-critical
|
|
||
Updated•8 years ago
|
status-firefox48:
--- → unaffected
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
status-firefox-esr45:
--- → unaffected
|
|
Assignee | |
Comment 7•8 years ago
|
||
Add the testcase into crashtest.
Attachment #8787483 -
Flags: review?(nical.bugzilla)
|
|
||
Updated•8 years ago
|
Attachment #8787483 -
Flags: review?(nical.bugzilla) → review+
|
|
||
Comment 8•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c4fb41365df3
Flags: in-testsuite? → in-testsuite+
|
|
||
Updated•8 years ago
|
Group: core-security-release
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•