User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0 Build ID: 20150305021524 Steps to reproduce: In Firefox 38.0.1, CompositorD3D11::DrawVRDistortion uses uninitialized memory at gfx\layers\d3d11\CompositorD3D11.cpp line 749. The problem is that DrawVRDistortion does not check the return value from the Windows function ID3D11DeviceContext::Map at line 748, thus (on failure) leaving untouched whatever was contained in the uninitialized variable resource: 748: mContext->Map(mAttachments->mVRDistortionConstants, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource); 749: *(gfx::VRDistortionConstants*)resource.pData = shaderConstants; Since resource can contain anything, this bug could make it possible to write data into anywhere in Firefox's address space. Depending on how DrawVRDistortion is used, this bug might be exploitable to disclose sensitive data and/or cause execution of attacker-selected code.
Component: Untriaged → Graphics: Layers
Product: Firefox → Core
I don't know whether the VR thing here means this is a nightly-only feature or not. Not assigning a security rating yet.
It's nightly/dev-edition only, and only with a non-default pref flipped. I'll fix.
Assignee: nobody → vladimir
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8632823 - Flags: review?(bas) → review+
You need to log in before you can comment on or make changes to this bug.