Open
Bug 1284499
Opened 9 years ago
Updated 3 years ago
Hovering tab with long title causes graphical issues and crashes Cinnamon desktop.
Categories
(Core :: Widget: Gtk, defect, P3)
Tracking
()
NEW
People
(Reporter: william, Unassigned)
Details
(Keywords: crash, sec-vector, Whiteboard: [sg:dos][tpi:+])
Attachments
(1 file)
|
27.73 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160609214634
Steps to reproduce:
Create a webpage with a title attribute of greater than ~1500 characters. Mouse over the tab which usually displays the name of the page in a yellow box.
This was tested by editing the google homepage title to be a large number of consecutive 'a' characters.
It was run on Linux Mint 17.2 Rafaela and Cinnamon 2.6.13. It affected both the nightly 50.0a1 Firefox build and the 47.a build.
I have marked this as security related as it seems like a buffer overflow, however I have not tested this idea.
Actual results:
With a low number of characters (~1500-2000) the yellow box will display massively distorted.
With a high numbers of characters (>2500) the Cinnamon desktop crashed. At over 10000 characters the crash takes longer to recover from.
Expected results:
It should have displayed a yellow box with the website title.
|
||
Comment 1•9 years ago
|
||
Do you have a crash dump from the desktop? This smells like a GTK issue to me, if the entire desktop goes down...
Group: firefox-core-security → core-security
Component: Untriaged → Widget: Gtk
Flags: needinfo?(william)
Product: Firefox → Core
|
|
||
Comment 3•9 years ago
|
||
Milan, seems Karl is away, any idea if this is graphics, XUL or GTK and/or who to ping in karl's absence?
Flags: needinfo?(milan)
Andrew, can you take a look?
Assignee: nobody → andrew
Flags: needinfo?(milan)
|
||
Comment 5•9 years ago
|
||
I suspect that your GL implementation does not support textures the size of the tooltip window (as exposed by EXT_texture_from_pixmap), as suggested by
> (cinnamon:24735): Cogl-ERROR **: Failed to create texture 2d due to size/format constraints
which is causing your X11 compositor (cinnamon+clutter) to crash.
I'll look into ensuring that the tooltip is correctly clipped to the screen bounds- that seems like the sanest solution to this issue. If we can't create textures the size of the screen, the user will have other problems with accelerated X11 composition anyway.
|
|
||
Comment 6•9 years ago
|
||
Does this need to stay sec-sensitive? (I don't think so, but I'm less familiar with the internals and risks here.)
Flags: needinfo?(andrew)
|
|
||
Comment 7•9 years ago
|
||
It won't expose any user data, no (I'm assuming that's what sec-sensitive is for).
FWIW, I can't reproduce using gnome-shell with mesa 11.2.2 on a Haswell IGP. The tooltip (correctly) gets clipped to the screen extents.
Flags: needinfo?(andrew)
|
|
||
Comment 8•9 years ago
|
||
(In reply to Andrew Comminos [:acomminos] from comment #7)
> It won't expose any user data, no (I'm assuming that's what sec-sensitive is
> for).
No, it's security-sensitive because comment #0 assumed there was a security bug in Firefox that could potentially be exploited in this bug. If this is a 'safe' crash, it's a sec-low at most and we don't need to keep it hidden from the public.
|
|
||
Comment 9•9 years ago
|
||
Makes sense- let's consider it a 'safe' crash then.
|
||
Updated•9 years ago
|
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash,
sec-vector
Whiteboard: [sg:dos]
|
||
Updated•9 years ago
|
Priority: -- → P3
Whiteboard: [sg:dos] → [sg:dos][tpi:+]
|
||
Comment 10•3 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.
Assignee: andrew → nobody
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•