Closed
Bug 1167370
Opened 9 years ago
Closed 9 years ago
TextRenderer::RenderText using uninitialized memory
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: q1, Assigned: kyle_fung)
Details
(Keywords: csectype-uninitialized, sec-other, Whiteboard: [post-critsmash-triage])
Attachments
(1 file, 2 obsolete files)
|
1.84 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows; rv:26.0) Gecko/20100101 Firefox/26.0 Build ID: 20150305021524 Steps to reproduce: In Firefox 38.0.1, TextRenderer::RenderText uses uninitialized memory at gfx\layers\composite\TextRenderer.cpp line 96 et seq. The problem is that TextRenderer::RenderText does not check the return value from DataSourceSurface::Map at line 93, thus (on failure and for some derived classes of DataSourceSurface, e.g., DataSourceSurfaceD2D) leaving untouched whatever was contained in the uninitialized variable map: 92: DataSourceSurface::MappedSurface map; 93: textSurf->Map(DataSourceSurface::MapType::READ_WRITE, &map); 94: 95: // Initialize the surface to transparent white. 96: memset(map.mData, uint8_t(sBackgroundOpacity * 255.0f), 97: numLines * sCellHeight * map.mStride); 98: 99: uint32_t currentXPos = 0; 100: uint32_t currentYPos = 0; 101: 102: // Copy our glyphs onto the surface. ... 115: memcpy (map.mData + ...) Since map can contain anything, this bug could make it possible to write data into anywhere in Firefox's address space. Depending on how RenderText is used, this bug might be exploitable to disclose sensitive data and/or cause execution of attacker-selected code. Perhaps an attacker could design a font that contains data to be written to the stack such that, when RenderText returns, it passes control to an attacker-designated function.
There's also a similar bug in TextRenderer::EnsureInitialized at line 154.
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → Graphics: Layers
Ever confirmed: true
Flags: needinfo?(milan)
Keywords: csectype-uninitialized,
sec-critical
Product: Firefox → Core
|
||
Updated•9 years ago
|
Component: Graphics: Layers → Graphics: Text
Flags: needinfo?(milan)
|
|
||
Updated•9 years ago
|
Assignee: nobody → kfung
Attachment #8609533 -
Flags: review?(gavin.sharp)
Attachment #8609533 -
Flags: review?(gavin.sharp) → review?(bas)
Attachment #8609533 -
Attachment is obsolete: true
Attachment #8609533 -
Flags: review?(bas)
Attachment #8609666 -
Flags: review?(bas)
|
||
Updated•9 years ago
|
Attachment #8609666 -
Flags: review?(bas) → review+
|
|
||
Comment 4•9 years ago
|
||
Should be noted this isn't exactly sec critical as the TextRenderer isn't used without custom prefs set.
Comment on attachment 8609666 [details] [diff] [review] Addressed issue in line 154 Review of attachment 8609666 [details] [diff] [review]: ----------------------------------------------------------------- I'd have a more informative check-in comment, like "check for Map call failing" or some such. You'd also want it to be in the format Bug xxxxx: comment. r=reviewer".
|
||
Updated•9 years ago
|
status-firefox38:
--- → disabled
status-firefox38.0.5:
--- → disabled
status-firefox39:
--- → disabled
status-firefox40:
--- → disabled
status-firefox41:
--- → disabled
Keywords: sec-critical → sec-other
This is sec-other, so I don't think we need a security approval.
Flags: needinfo?(milan)
Attachment #8609666 -
Attachment is obsolete: true
Keywords: checkin-needed
|
||
Comment 9•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/20da4771e913
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox-esr38:
--- → disabled
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
|
||
Comment 10•9 years ago
|
||
(In reply to Bas Schouten (:bas.schouten) from comment #4) > Should be noted this isn't exactly sec critical as the TextRenderer isn't > used without custom prefs set. If we're never going to use it we should just rip it out. If we're working toward turning it on by default some day then the fact it isn't now doesn't reduce the severity of the potential vulnerability described here (though it wouldn't be an emergency, so critical->high is acceptable). So what's the status of this feature?
Flags: needinfo?(bas)
Keywords: sec-other
|
|
||
Comment 11•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #10) > (In reply to Bas Schouten (:bas.schouten) from comment #4) > > Should be noted this isn't exactly sec critical as the TextRenderer isn't > > used without custom prefs set. > > If we're never going to use it we should just rip it out. If we're working > toward turning it on by default some day then the fact it isn't now doesn't > reduce the severity of the potential vulnerability described here (though it > wouldn't be an emergency, so critical->high is acceptable). > > So what's the status of this feature? Incorrect, it's used for diagnostic purposes by Mozilla engineers. But only through a pref that would essentially never run in a production environment. So it serves a clear purpose, but is unlikely to ever be used in our normal release builds by our regular users. (Doesn't mean it isn't nice to have fixed)
Flags: needinfo?(bas)
Would we want to make it only show up in nightly+aurora then?
|
|
||
Comment 13•9 years ago
|
||
(In reply to Bas Schouten (:bas.schouten) from comment #11) > Incorrect, it's used for diagnostic purposes by Mozilla engineers. But only > through a pref that would essentially never run in a production environment. > So it serves a clear purpose, but is unlikely to ever be used in our normal > release builds by our regular users. Thanks for clarifying. sec-other is appropriate then
Flags: sec-bounty? → sec-bounty+
Keywords: sec-other
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•