Closed Bug 1167326 Opened 10 years ago Closed 9 years ago

CompositorD3D11::DrawVRDistortion using uninitialized memory

Categories

(Core :: Graphics: Layers, defect)

38 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox39 --- disabled
firefox40 --- disabled
firefox41 --- disabled
firefox42 --- fixed
firefox-esr38 --- unaffected

People

(Reporter: q1, Assigned: vlad)

Details

(Keywords: csectype-uninitialized, sec-other, Whiteboard: [post-critsmash-triage])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0 Build ID: 20150305021524 Steps to reproduce: In Firefox 38.0.1, CompositorD3D11::DrawVRDistortion uses uninitialized memory at gfx\layers\d3d11\CompositorD3D11.cpp line 749. The problem is that DrawVRDistortion does not check the return value from the Windows function ID3D11DeviceContext::Map at line 748, thus (on failure) leaving untouched whatever was contained in the uninitialized variable resource: 748: mContext->Map(mAttachments->mVRDistortionConstants, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource); 749: *(gfx::VRDistortionConstants*)resource.pData = shaderConstants; Since resource can contain anything, this bug could make it possible to write data into anywhere in Firefox's address space. Depending on how DrawVRDistortion is used, this bug might be exploitable to disclose sensitive data and/or cause execution of attacker-selected code.
Component: Untriaged → Graphics: Layers
Flags: needinfo?(bas)
Product: Firefox → Core
I don't know whether the VR thing here means this is a nightly-only feature or not. Not assigning a security rating yet.
It's nightly/dev-edition only, and only with a non-default pref flipped. I'll fix.
Assignee: nobody → vladimir
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(bas)
Attachment #8632823 - Flags: review?(bas) → review+
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Group: core-security → core-security-release
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: