Closed
Bug 360293
Opened 18 years ago
Closed 18 years ago
passing in non-numeric values to canvas functions causes crash inside cairo
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: vlad, Assigned: vlad)
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(3 files, 1 obsolete file)
676 bytes,
text/html
|
Details | |
8.95 KB,
patch
|
dveditz
:
review+
dveditz
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
11.00 KB,
patch
|
dveditz
:
review+
dveditz
:
approval1.8.0.9+
|
Details | Diff | Splinter Review |
The Canvas API uses floats in the IDL, so the C++ method signatures just accept floats. xpconnect uses JS_ValueToNumber to do the conversion from jsval to double, and ValueToNumber happily coverts non-numeric values (e.g. "foo") to NaN. Cairo doesn't handle NaN (or, I assume, +/-Inf) well, and so it leads to a crash.
Assignee | ||
Comment 2•18 years ago
|
||
I'm not sure if this is exploitable -- we should backport to 1.8.0.9 if so (trivial backport), otherwise we should just get it in to 1.8.1.x.
Flags: blocking1.9+
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Assignee | ||
Comment 3•18 years ago
|
||
Add checks to make sure each float value passed in is finite; error out otherwise.
Comment 4•18 years ago
|
||
In a windows debug build it crashes when we pass an invalid pointer to realloc, that's potentially bad.
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical?]
Assignee | ||
Comment 5•18 years ago
|
||
Better patch, using jsnum.h and JSDOUBLE_IS_FINITE (finitef()/__finitef() are not well supported, as far as I can tell). Separate patch for 1.8.0 coming soon.
Attachment #245246 -
Attachment is obsolete: true
Attachment #246057 -
Flags: review?(dveditz)
Assignee | ||
Comment 6•18 years ago
|
||
Patch for 1.8.0; untested right now (because I can't build 1.8.0 on my mac), but I'll fire up a linux vm for it. It's pretty straightforward, though.
Attachment #246173 -
Flags: review?(dveditz)
Comment 7•18 years ago
|
||
Comment on attachment 246173 [details] [diff] [review] validate floats, patch for 1.8.0.x r=dveditz NS_ERROR_ILLEGAL_VALUE might have been appropriate, too. But I don't feel strongly either way.
Attachment #246173 -
Flags: review?(dveditz) → review+
Comment 8•18 years ago
|
||
Comment on attachment 246057 [details] [diff] [review] fixed patch using JSDOUBLE_IS_FINITE. patch for 1.8.1/1.9. r=dveditz
Attachment #246057 -
Flags: review?(dveditz) → review+
Updated•18 years ago
|
Attachment #246057 -
Flags: approval1.8.1.1?
Updated•18 years ago
|
Attachment #246173 -
Flags: approval1.8.0.9?
Comment 9•18 years ago
|
||
Comment on attachment 246057 [details] [diff] [review] fixed patch using JSDOUBLE_IS_FINITE. patch for 1.8.1/1.9. approved for 1.8 branch, a=dveditz for drivers
Attachment #246057 -
Flags: approval1.8.1.1? → approval1.8.1.1+
Comment 10•18 years ago
|
||
Comment on attachment 246173 [details] [diff] [review] validate floats, patch for 1.8.0.x approved for 1.8.0 branch, a=dveditz for drivers
Attachment #246173 -
Flags: approval1.8.0.9? → approval1.8.0.9+
Assignee | ||
Comment 12•18 years ago
|
||
In on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 13•18 years ago
|
||
Verified fixed on trunk and branches, by using and testing builds before the patch went in and after the patch went in.
Status: RESOLVED → VERIFIED
Comment 14•18 years ago
|
||
canvasrenderingcontext does not exist on 1.7 branch. Has this code been migrated from somewhere or is this complete new code?
Updated•18 years ago
|
Group: security
Comment 15•15 years ago
|
||
crash test landed http://hg.mozilla.org/mozilla-central/rev/b12e996f5d7a
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•