Closed
Bug 1172189
(CVE-2015-7175)
Opened 10 years ago
Closed 10 years ago
Overflow in XULContentSinkImpl::AddText causes memory-safety bug
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: q1, Assigned: baku)
References
Details
(Keywords: csectype-intoverflow, reporter-external, sec-low, Whiteboard: [post-critsmash-triage][adv-main41+])
Attachments
(1 file)
|
983 bytes,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524
Steps to reproduce:
This bug is just like https://bugzilla.mozilla.org/show_bug.cgi?id=1172187 , but in XULContentSinkImpl::AddText (38.0.1\dom\xul\nsXULContentSink.cpp), line 1075:
1075: mTextSize += aLength;
1076: mText = (char16_t *) moz_realloc(mText, sizeof(char16_t) * mTextSize);
Summary: XULContentSinkImpl::AddText causes memory-safety bug → Overflow in XULContentSinkImpl::AddText causes memory-safety bug
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
||
Updated•10 years ago
|
Component: Untriaged → DOM
Product: Firefox → Core
|
||
Comment 1•10 years ago
|
||
XUL isn't exposed to the web so, this isn't as serious as bug 1172187.
|
|
||
Updated•10 years ago
|
Keywords: csectype-intoverflow
|
|
||
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
Assignee | |
Comment 3•10 years ago
|
||
Assignee: nobody → amarchesini
Attachment #8621018 -
Flags: review?(ehsan)
|
||
Updated•10 years ago
|
Attachment #8621018 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Updated•10 years ago
|
Keywords: checkin-needed
|
||
Comment 4•10 years ago
|
||
Keywords: checkin-needed
|
|
||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4c18b9c2c98c
Is this worth backporting?
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v2.0:
--- → wontfix
status-b2g-v2.0M:
--- → wontfix
status-b2g-v2.1:
--- → wontfix
status-b2g-v2.1S:
--- → wontfix
status-b2g-v2.2:
--- → wontfix
status-b2g-master:
--- → fixed
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → fixed
status-firefox-esr31:
--- → wontfix
status-firefox-esr38:
--- → affected
Flags: needinfo?(amarchesini)
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Comment 6•10 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #1)
> XUL isn't exposed to the web so, this isn't as serious as bug 1172187.
Not directly. We do, in some cases, take aspects of web content and display text in our own XUL dialogs. Seems super unlikely to be a problem if the text survived in in the HTML page but we can't rule it out, either.
|
|
||
Comment 7•10 years ago
|
||
It can't hurt to backport if it's easy to do so, but I don't think it's necessary.
Flags: needinfo?(amarchesini)
|
||
Updated•10 years ago
|
Whiteboard: [post-critsmash-triage]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main41+]
|
|
||
Updated•9 years ago
|
Alias: CVE-2015-7175
|
||
Comment 8•9 years ago
|
||
esr38 is still marked affected. Was it an oversight to not mark it wontfix, or to not land it on esr38?
|
|
||
Comment 9•9 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #8)
> esr38 is still marked affected. Was it an oversight to not mark it wontfix,
> or to not land it on esr38?
Sec-low bugs don't get checked into ESR branches without an overriding reason.
|
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•