heap-overflow and potential UAF [@mozilla::dom::CanvasRenderingContext2D::GetImageDataArray]

RESOLVED FIXED in Firefox 51

Status

()

Core
Canvas: 2D
--
critical
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: tsmith, Assigned: ethlin)

Tracking

(Blocks: 2 bugs, 6 keywords)

Trunk
mozilla51
crash, csectype-bounds, csectype-uaf, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox48 unaffected, firefox49 unaffected, firefox-esr45 unaffected, firefox50 unaffected, firefox51 fixed)

Details

Attachments

(5 attachments)

(Reporter)

Description

a year ago
Created attachment 8786229 [details]
uaf_log.txt

I have seen this reproduce as both an out of bounds read and a use-after-free.

==8460==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000339c18 at pc 0x7ffac8affce2 bp 0x7ffcf33eaeb0 sp 0x7ffcf33eaea8
READ of size 1 at 0x602000339c18 thread T0
    #0 0x7ffac8affce1 in mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(JSContext*, int, int, unsigned int, unsigned int, JSObject**) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5491:19
    #1 0x7ffac8afe14f in mozilla::dom::CanvasRenderingContext2D::GetImageData(JSContext*, double, double, double, double, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5368:12
    #2 0x7ffac7c4c216 in mozilla::dom::CanvasRenderingContext2DBinding::getImageData(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:4584:55
    #3 0x7ffac8a078c0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2812:13
    #4 0x7ffaceace6bc in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:235:15
Flags: in-testsuite?
(Reporter)

Comment 1

a year ago
Created attachment 8786230 [details]
overflow_log.txt
(Reporter)

Comment 2

a year ago
Created attachment 8786231 [details]
test_case.html
(Assignee)

Updated

a year ago
Assignee: nobody → ethlin
(Assignee)

Comment 3

a year ago
Created attachment 8786593 [details] [diff] [review]
Check if drawtarget valid

Before using the DrawTarget, we should check if it's valid.
Attachment #8786593 - Flags: review?(nical.bugzilla)
Attachment #8786593 - Flags: review?(nical.bugzilla) → review+
(Assignee)

Updated

a year ago
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/1065b1b168df
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/1065b1b168df

This probably should have gone through the sec-approval process before landing. What rating should it have? What branches are affected?
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox51: affected → fixed
Flags: needinfo?(ethlin)
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Group: gfx-core-security → core-security-release
(Assignee)

Comment 6

a year ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #5)
> https://hg.mozilla.org/mozilla-central/rev/1065b1b168df
> 
> This probably should have gone through the sec-approval process before
> landing. What rating should it have? What branches are affected?

Only firefox51 is affected. The bug has a csectype-uaf rating.
Flags: needinfo?(ethlin)
Keywords: sec-critical
status-firefox48: --- → unaffected
status-firefox49: --- → unaffected
status-firefox50: --- → unaffected
status-firefox-esr45: --- → unaffected
(Assignee)

Comment 7

a year ago
Created attachment 8787483 [details] [diff] [review]
crashtest

Add the testcase into crashtest.
Attachment #8787483 - Flags: review?(nical.bugzilla)
Attachment #8787483 - Flags: review?(nical.bugzilla) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/c4fb41365df3
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/c4fb41365df3
Group: core-security-release
Keywords: regression
You need to log in before you can comment on or make changes to this bug.