Closed Bug 1279413 (CVE-2014-9766) Opened 4 years ago Closed 4 years ago

pixman: integer overflow in create_bits function


(Core :: Graphics, defect)

46 Branch
Not set



Tracking Status
firefox47 --- wontfix
firefox48 + fixed
firefox49 + fixed
firefox-esr45 48+ fixed
firefox50 + fixed


(Reporter: huzaifas, Assigned: jrmuizel)


(Keywords: csectype-intoverflow, sec-low, Whiteboard: [post-critsmash-triage][adv-main48-][adv-esr45.3-])


(1 file)

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160503092137

Steps to reproduce:

CVE-2014-9766 is related to pixman: integer overflow in create_bits function, which Firefox seems to embed.

Details at:
In create_bits() both height and stride are ints, so the result is
also an int, which will overflow if height or stride are big enough
and size_t is bigger than int.

I find similar code in the version of pixman embedded in firefox. But i dont really have the skills to figure out, if Firefox is indeed affected.

Would appreciate if you could look, thanks!
Jeff, looks like the fix is from pixman 0.32.6, and we're running 0.29.2 on nightly. Is that right?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(jmuizelaar)
Product: Firefox → Core
Group: core-security → gfx-core-security

This is a code execution bug, remote ACE for firefox, and its already public, can you accelerate this a bit?

ni for comment #2
Flags: needinfo?(dveditz)
(In reply to Huzaifa Sidhpurwala from comment #2)
> This is a code execution bug, remote ACE for firefox,

Is it? Gecko imposes image size limits that should kick in before this code is called. Without a testcase this is still an investigatory bug (though I agree we ought to update our libraries)
Flags: needinfo?(dveditz) → needinfo?(huzaifas)
You could be right, as i said, i have not investigated this from a mozilla pov, but am generally worried about getting it fixed there.
Flags: needinfo?(huzaifas)
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Jeff, could you fill the uplift requests to aurora, beta & esr? Thanks
Assignee: nobody → jmuizelaar
Flags: needinfo?(jmuizelaar)
Group: gfx-core-security → core-security-release
Just caught this - no sec rating but it has already landed.  Milan can you request uplift ?
Flags: needinfo?(milan)
Creating the patch that already landed, so that we can request uplift.

Approval Request Comment
[Feature/regressing bug #]: In upstream pixman at our version 0.29.2, fixed by 0.32.6 in 2014.
[User impact if declined]: We don't know the attack vector, but the description of the upstream problem is:
Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.
Flags: needinfo?(milan)
Attachment #8771561 - Flags: review+
Attachment #8771561 - Flags: approval-mozilla-beta?
Attachment #8771561 - Flags: approval-mozilla-aurora?
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed

Milan, Jeff, what about ESR45? Thanks
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 - Flags: approval-mozilla-beta?
Attachment #8771561 - Flags: approval-mozilla-beta+
Attachment #8771561 - Flags: approval-mozilla-aurora?
Attachment #8771561 - Flags: approval-mozilla-aurora+
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:

This is somewhat difficult without the security rating.  The description is above, and the fix is simple enough that even without a known attack vector, it would be good to get it into 45esr.
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 - Flags: approval-mozilla-esr45?
Alias: CVE-2014-9766
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed

We should take this on all the branches, a=dveditz for ESR-45
Attachment #8771561 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48-][adv-esr45.3-]
Is there going to be an advisory for this?
No, there is not (hence the minus tags for the released in the whiteboard). It isn't clear that Firefox was actually affected by this in practice.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.