497256 - Buffer overflow in debug code for reflow rules

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Daniel Franke]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3) Gecko/20090403 Shiretoko/3.1b3
Build Identifier: trunk

DR_State::ParseRule() contains a stack-allocated 128-character buffer which DR_State::GetToken() will blindly overrun if a reflow rule file contains a stretch of more than 128 characters without whitespace.

In order for this to be exploited, the victim would have to be persuaded to download a malicious rule file and then run a debug build of Mozilla with an environment variable set to its path.  However, this is not completely unrealistic: an attacker might conceivably dupe a Mozilla developer into doing this while under the guise of seeking help tracking down a layout bug.

Reproducible: Always

Steps to Reproduce:
1. Create a file containing a large string of arbitrary text, with no whitespace.
2. Set the GECKO_DISPLAY_REFLOW_RULES_FILE environment variable to the file's path.
3. Launch a debug build of Firefox.
4. Observe segfault.

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Attachment: patch

Probably easiest to think of pulling the getc() call into the loop body as a separate refactoring step before the rest of the patch.

Changing cX to size_t is to avoid a signed-unsigned comparison warning.

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

http://hg.mozilla.org/mozilla-central/rev/3f7faac350f1