Closed Bug 1172189 (CVE-2015-7175) Opened 5 years ago Closed 5 years ago

Overflow in XULContentSinkImpl::AddText causes memory-safety bug

Categories

(Core :: DOM: Core & HTML, defect)

38 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox39 --- affected
firefox40 --- affected
firefox41 --- fixed
firefox-esr31 --- wontfix
firefox-esr38 --- wontfix
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- wontfix
b2g-master --- fixed

People

(Reporter: q1, Assigned: baku)

References

Details

(Keywords: csectype-intoverflow, sec-low, Whiteboard: [post-critsmash-triage][adv-main41+])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

This bug is just like https://bugzilla.mozilla.org/show_bug.cgi?id=1172187 ,  but in XULContentSinkImpl::AddText (38.0.1\dom\xul\nsXULContentSink.cpp), line 1075:

1075:        mTextSize += aLength;
1076:        mText = (char16_t *) moz_realloc(mText, sizeof(char16_t) * mTextSize);
Summary: XULContentSinkImpl::AddText causes memory-safety bug → Overflow in XULContentSinkImpl::AddText causes memory-safety bug
Flags: sec-bounty?
Component: Untriaged → DOM
Product: Firefox → Core
See Also: → 1172187
XUL isn't exposed to the web so, this isn't as serious as bug 1172187.
Marking sec-other because it is not exposed to content.
Keywords: sec-other
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch crash8.patchSplinter Review
Assignee: nobody → amarchesini
Attachment #8621018 - Flags: review?(ehsan)
Attachment #8621018 - Flags: review?(ehsan) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4c18b9c2c98c

Is this worth backporting?
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Flags: sec-bounty? → sec-bounty+
(In reply to Olli Pettay [:smaug] from comment #1)
> XUL isn't exposed to the web so, this isn't as serious as bug 1172187.

Not directly. We do, in some cases, take aspects of web content and display text in our own XUL dialogs. Seems super unlikely to be a problem if the text survived in in the HTML page but we can't rule it out, either.
Keywords: sec-othersec-low
It can't hurt to backport if it's easy to do so, but I don't think it's necessary.
Flags: needinfo?(amarchesini)
Whiteboard: [post-critsmash-triage]
Group: core-security → core-security-release
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main41+]
Alias: CVE-2015-7175
esr38 is still marked affected. Was it an oversight to not mark it wontfix, or to not land it on esr38?
(In reply to Mike Hommey [:glandium] from comment #8)
> esr38 is still marked affected. Was it an oversight to not mark it wontfix,
> or to not land it on esr38?

Sec-low bugs don't get checked into ESR branches without an overriding reason.
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.