Closed
Bug 1167326
Opened 10 years ago
Closed 9 years ago
CompositorD3D11::DrawVRDistortion using uninitialized memory
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox39 | --- | disabled |
firefox40 | --- | disabled |
firefox41 | --- | disabled |
firefox42 | --- | fixed |
firefox-esr38 | --- | unaffected |
People
(Reporter: q1, Assigned: vlad)
Details
(Keywords: csectype-uninitialized, sec-other, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
1.21 KB,
patch
|
bas.schouten
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20150305021524
Steps to reproduce:
In Firefox 38.0.1, CompositorD3D11::DrawVRDistortion uses uninitialized memory at gfx\layers\d3d11\CompositorD3D11.cpp line 749.
The problem is that DrawVRDistortion does not check the return value from the Windows function ID3D11DeviceContext::Map at line 748, thus (on failure) leaving untouched whatever was contained in the uninitialized variable resource:
748: mContext->Map(mAttachments->mVRDistortionConstants, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource);
749: *(gfx::VRDistortionConstants*)resource.pData = shaderConstants;
Since resource can contain anything, this bug could make it possible to write data into anywhere in Firefox's address space. Depending on how DrawVRDistortion is used, this bug might be exploitable to disclose sensitive data and/or cause execution of attacker-selected code.
Updated•10 years ago
|
Component: Untriaged → Graphics: Layers
Flags: needinfo?(bas)
Product: Firefox → Core
Comment 1•10 years ago
|
||
I don't know whether the VR thing here means this is a nightly-only feature or not. Not assigning a security rating yet.
Keywords: csectype-uninitialized
Assignee | ||
Comment 2•10 years ago
|
||
It's nightly/dev-edition only, and only with a non-default pref flipped. I'll fix.
Assignee: nobody → vladimir
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(bas)
Updated•10 years ago
|
status-firefox39:
--- → disabled
status-firefox40:
--- → disabled
status-firefox41:
--- → disabled
status-firefox-esr38:
--- → unaffected
Keywords: sec-other
Assignee | ||
Comment 3•9 years ago
|
||
Attachment #8632823 -
Flags: review?(bas)
Updated•9 years ago
|
Attachment #8632823 -
Flags: review?(bas) → review+
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox42:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•