Closed
Bug 497256
Opened 15 years ago
Closed 14 years ago
Buffer overflow in debug code for reflow rules
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a4
People
(Reporter: dfoxfranke, Assigned: dbaron)
References
()
Details
(Whiteboard: [sg:moderate])
Attachments
(1 file)
2.46 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3) Gecko/20090403 Shiretoko/3.1b3 Build Identifier: trunk DR_State::ParseRule() contains a stack-allocated 128-character buffer which DR_State::GetToken() will blindly overrun if a reflow rule file contains a stretch of more than 128 characters without whitespace. In order for this to be exploited, the victim would have to be persuaded to download a malicious rule file and then run a debug build of Mozilla with an environment variable set to its path. However, this is not completely unrealistic: an attacker might conceivably dupe a Mozilla developer into doing this while under the guise of seeking help tracking down a layout bug. Reproducible: Always Steps to Reproduce: 1. Create a file containing a large string of arbitrary text, with no whitespace. 2. Set the GECKO_DISPLAY_REFLOW_RULES_FILE environment variable to the file's path. 3. Launch a debug build of Firefox. 4. Observe segfault.
Updated•15 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:moderate]
Assignee | ||
Comment 1•14 years ago
|
||
Probably easiest to think of pulling the getc() call into the loop body as a separate refactoring step before the rest of the patch. Changing cX to size_t is to avoid a signed-unsigned comparison warning.
Attachment #437188 -
Flags: review?(roc) → review+
Assignee | ||
Comment 2•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/3f7faac350f1
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•