Bug 1172189 (CVE-2015-7175)

Overflow in XULContentSinkImpl::AddText causes memory-safety bug

RESOLVED FIXED in Firefox 41

Status

()

defect
RESOLVED FIXED
4 years ago
a month ago

People

(Reporter: q1, Assigned: baku)

Tracking

({csectype-intoverflow, sec-low})

38 Branch
mozilla41
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox39 affected, firefox40 affected, firefox41 fixed, firefox-esr31 wontfix, firefox-esr38 wontfix, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 wontfix, b2g-master fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main41+])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

This bug is just like https://bugzilla.mozilla.org/show_bug.cgi?id=1172187 ,  but in XULContentSinkImpl::AddText (38.0.1\dom\xul\nsXULContentSink.cpp), line 1075:

1075:        mTextSize += aLength;
1076:        mText = (char16_t *) moz_realloc(mText, sizeof(char16_t) * mTextSize);
(Reporter)

Updated

4 years ago
Summary: XULContentSinkImpl::AddText causes memory-safety bug → Overflow in XULContentSinkImpl::AddText causes memory-safety bug
Flags: sec-bounty?
Component: Untriaged → DOM
Product: Firefox → Core
See Also: → 1172187
XUL isn't exposed to the web so, this isn't as serious as bug 1172187.
Marking sec-other because it is not exposed to content.
Keywords: sec-other
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 3

4 years ago
Posted patch crash8.patchSplinter Review
Assignee: nobody → amarchesini
Attachment #8621018 - Flags: review?(ehsan)

Updated

4 years ago
Attachment #8621018 - Flags: review?(ehsan) → review+
(Assignee)

Updated

4 years ago
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4c18b9c2c98c

Is this worth backporting?
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Flags: sec-bounty? → sec-bounty+
(In reply to Olli Pettay [:smaug] from comment #1)
> XUL isn't exposed to the web so, this isn't as serious as bug 1172187.

Not directly. We do, in some cases, take aspects of web content and display text in our own XUL dialogs. Seems super unlikely to be a problem if the text survived in in the HTML page but we can't rule it out, either.
Keywords: sec-othersec-low
It can't hurt to backport if it's easy to do so, but I don't think it's necessary.
Flags: needinfo?(amarchesini)
Whiteboard: [post-critsmash-triage]

Updated

4 years ago
Group: core-security → core-security-release
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main41+]
Alias: CVE-2015-7175
esr38 is still marked affected. Was it an oversight to not mark it wontfix, or to not land it on esr38?
(In reply to Mike Hommey [:glandium] from comment #8)
> esr38 is still marked affected. Was it an oversight to not mark it wontfix,
> or to not land it on esr38?

Sec-low bugs don't get checked into ESR branches without an overriding reason.
Group: core-security-release
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.