Closed
Bug 1020219
Opened 10 years ago
Closed 10 years ago
Fix a bug that can cause DataSourceSurface buffers to be smaller than the DataSourceSurface expects them to be
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: jwatt, Assigned: jwatt)
References
Details
(Keywords: csectype-bounds, regression, sec-critical, Whiteboard: [adv-main31+][qa-])
Attachments
(1 obsolete file)
Yikes. In SourceSurfaceAlignedRawData::Init and SourceSurfaceAlignedRawData::InitWithStride the temporary that is passed to Realloc may not have enough precision to store the result of |mStride * aSize.height|. That can cause us to have a buffer that is much smaller than the DataSourceSurface expects and needs it to be.
|
Assignee | |
Comment 1•10 years ago
|
||
Attachment #8434038 -
Flags: review?(bas)
|
||
Updated•10 years ago
|
Attachment #8434038 -
Flags: review?(bas) → review+
|
||
Updated•10 years ago
|
Group: gfx-core-security
|
|
||
Updated•10 years ago
|
status-firefox29:
--- → ?
status-firefox30:
--- → affected
status-firefox31:
--- → affected
status-firefox32:
--- → affected
status-firefox-esr24:
--- → ?
|
|
||
Updated•10 years ago
|
tracking-firefox30:
--- → +
tracking-firefox31:
--- → +
tracking-firefox32:
--- → +
tracking-firefox-esr24:
--- → ?
|
|
||
Comment 2•10 years ago
|
||
Tagged as a security issue after an IRC chat with Jonathan.
|
|
Assignee | |
Comment 3•10 years ago
|
||
The broken code came from bug 892505.
|
|
||
Comment 4•10 years ago
|
||
OK. Therefor ESR 24 is unaffected (this landed in 25).
|
||
Updated•10 years ago
|
Keywords: csectype-bounds,
sec-critical
|
||
Updated•10 years ago
|
status-b2g-v1.2:
--- → affected
status-b2g-v1.3:
--- → affected
status-b2g-v1.3T:
--- → affected
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → affected
|
||
Comment 5•10 years ago
|
||
We can take this in the FF30 release now please nominate for uplift all the way to mozilla-release asap.
Flags: needinfo?(jwatt)
|
|
Assignee | |
Comment 6•10 years ago
|
||
Comment on attachment 8434038 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 892505
User impact if declined: sg bug
Testing completed (on m-c, etc.): none (simultaneous landing?
Risk to taking this patch (and alternatives if risky): essentially zero risk
String or IDL/UUID changes made by this patch: none
The reason I say this is essentially zero risk is because it only changes the code to use a temporary of a larger type, which is the type of the parameter the function the temporary is being passed to is.
Attachment #8434038 -
Flags: approval-mozilla-release?
Attachment #8434038 -
Flags: approval-mozilla-beta?
Attachment #8434038 -
Flags: approval-mozilla-aurora?
Flags: needinfo?(jwatt)
|
|
||
Updated•10 years ago
|
Blocks: 892505
Keywords: regression
|
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8434038 [details] [diff] [review]
patch
sec-approval+ for landing as long as this can land in Firefox 30. Otherwise we should wait a few weeks into the next cycle. I'd be happier without the comment pointing at the overflow risk though I guess the patch would be pretty obvious without it anyway.
a=dveditz for landing on the aurora, beta, and release branches.
Attachment #8434038 -
Flags: sec-approval+
Attachment #8434038 -
Flags: approval-mozilla-release?
Attachment #8434038 -
Flags: approval-mozilla-release+
Attachment #8434038 -
Flags: approval-mozilla-beta?
Attachment #8434038 -
Flags: approval-mozilla-beta+
Attachment #8434038 -
Flags: approval-mozilla-aurora?
Attachment #8434038 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 8•10 years ago
|
||
Comment on attachment 8434038 [details] [diff] [review]
patch
Removing approvals, we don't think this fixes Win32 builds (our most popular). Since we really need a more thorough fix in the future anyway we should just do that rather than rush an incomplete fix into Firefox 30.
Attachment #8434038 -
Flags: sec-approval-
Attachment #8434038 -
Flags: sec-approval+
Attachment #8434038 -
Flags: approval-mozilla-release-
Attachment #8434038 -
Flags: approval-mozilla-release+
Attachment #8434038 -
Flags: approval-mozilla-beta-
Attachment #8434038 -
Flags: approval-mozilla-beta+
Attachment #8434038 -
Flags: approval-mozilla-aurora-
Attachment #8434038 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 9•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8)
> we don't think this fixes Win32 builds
(Because size_t is 32-bits there, so AlignedArray::Realloc(size_t aSize) can't be passed a value big enough.)
|
|
||
Updated•10 years ago
|
|
|
Assignee | |
Updated•10 years ago
|
Whiteboard: [being fixed in bug 1023336]
|
|
Assignee | |
Comment 10•10 years ago
|
||
Please don't anyone link the two bugs. The idea here is to get the patches in quietly.
|
||
Updated•10 years ago
|
status-firefox33:
--- → affected
tracking-firefox33:
--- → +
|
|
||
Comment 11•10 years ago
|
||
Bug 1023336 seems to be fixed in m-c. Do we want an uplift in aurora et beta?
Flags: needinfo?(jwatt)
|
|
Assignee | |
Comment 12•10 years ago
|
||
Patches in bug 1023336 have landed on branches.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jwatt)
Resolution: --- → FIXED
Whiteboard: [being fixed in bug 1023336]
Target Milestone: --- → mozilla33
|
||
Comment 13•10 years ago
|
||
How should we get this fixed on the B2G release branches, namely b2g28 (v1.3) and b2g30 (v1.4)?
status-b2g-v2.1:
--- → fixed
Flags: needinfo?(jwatt)
|
|
Assignee | |
Comment 14•10 years ago
|
||
dveditz, what do you think?
Flags: needinfo?(jwatt) → needinfo?(dveditz)
|
|
||
Updated•10 years ago
|
Group: gfx-core-security → core-security
Flags: needinfo?(dveditz)
|
|
||
Comment 15•10 years ago
|
||
Can we just land bug 1023336 on those branches? It's quite plausible that we would take a bug to "Avoid jank caused by oversized data" for low memory devices and wouldn't attract attention that way.
|
|
||
Comment 16•10 years ago
|
||
Bug 1023336 applied pretty cleanly to b2g30 (just some context differences in the first patch), but it's causing crashtest crashes:
https://tbpl.mozilla.org/php/getParsedLog.php?id=43281427&tree=Mozilla-B2g30-v1.4
b2g28 has more changes that complicate the backport. Jonathan, can you please take a look? :)
Flags: needinfo?(jwatt)
|
|
Assignee | |
Comment 17•10 years ago
|
||
Landed on both b2g30 and b2g28. See bug 1023336 comment 12 and 13.
Flags: needinfo?(jwatt)
|
|
||
Updated•10 years ago
|
|
|
||
Updated•10 years ago
|
Whiteboard: [adv-main31+]
|
||
Comment 18•10 years ago
|
||
Marking [qa-], please feel free to include tests or STR if you'd like this tested. Thank you.
Whiteboard: [adv-main31+] → [adv-main31+][qa-]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
|
Assignee | |
Comment 19•8 years ago
|
||
Comment on attachment 8434038 [details] [diff] [review]
patch
This is not what landed in bug 1023336.
Attachment #8434038 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•