Crash in InvalidArrayIndex_CRASH | mozilla::ContentCache::TextRectArray::GetUnionRectAsFarAsPossible

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: mccr8, Unassigned)

Tracking

({crash, csectype-bounds, sec-low})

Trunk
x86
Windows 7
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox50 wontfix, firefox51 fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main51+] fixed by bug 1291082, crash signature)

This bug was filed from the Socorro interface and is 
report bp-150bc69d-c899-4b95-81f5-4749e2160831.
=============================================================

This is happening on the line:
  rect = rect.Union(mRects[startOffset - mStart + i]);

These crashes have: ElementAt(aIndex = 4294967295, aLength = 0) where 4294967295 is 2^32-1, so we've underflowed.
Group: core-security → layout-core-security
I think that this issue is bug 1291082.  Although uplift request is rejected, should we fix this?
Flags: needinfo?(dveditz)
Is this exploitable, or is it always going to crash?
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?

Crash only by invalid memory read.
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?

It is always going to crash on Nightly and Aurora, but other branches are going to have out of bounds access.
(In reply to Andrew McCreight [:mccr8] from comment #4)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Is this exploitable, or is it always going to crash?
> 
> It is always going to crash on Nightly and Aurora, but other branches are
> going to have out of bounds access.

I cannot find same signature on 51.0a1. :mccr8, do you have same crash signature on 51.0a1?
Yeah, I don't see any on 51 either.
So hopefully this was fixed by bug 1291082.
Depends on: 1291082
Keywords: sec-other
Ritu, although you reject uplift request for bug 1291082, this is filed as sec-other bug.

Could you reconsider uplift approval for bug 1291082?.  If still rejected, we should close this as dup or wontfix.
Flags: needinfo?(rkothari)
Let's call this "fixed" "depends on"
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: fixed by bug 1291082
Thanks Dan!
Flags: needinfo?(rkothari)
Group: layout-core-security → core-security-release
Flags: qe-verify-
Whiteboard: fixed by bug 1291082 → [post-critsmash-triage] fixed by bug 1291082
Whiteboard: [post-critsmash-triage] fixed by bug 1291082 → [post-critsmash-triage][adv-main51+] fixed by bug 1291082
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.