Crash in InvalidArrayIndex_CRASH | mozilla::ContentCache::TextRectArray::GetUnionRectAsFarAsPossible

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: mccr8, Unassigned)

Tracking

({crash, csectype-bounds, sec-low})

Trunk
x86
Windows 7
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox50 wontfix, firefox51 fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main51+] fixed by bug 1291082, crash signature)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-150bc69d-c899-4b95-81f5-4749e2160831.
=============================================================

This is happening on the line:
  rect = rect.Union(mRects[startOffset - mStart + i]);

These crashes have: ElementAt(aIndex = 4294967295, aLength = 0) where 4294967295 is 2^32-1, so we've underflowed.
Group: core-security → layout-core-security
I think that this issue is bug 1291082.  Although uplift request is rejected, should we fix this?
Flags: needinfo?(dveditz)
Is this exploitable, or is it always going to crash?
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?

Crash only by invalid memory read.
(Reporter)

Comment 4

3 years ago
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is this exploitable, or is it always going to crash?

It is always going to crash on Nightly and Aurora, but other branches are going to have out of bounds access.
(In reply to Andrew McCreight [:mccr8] from comment #4)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Is this exploitable, or is it always going to crash?
> 
> It is always going to crash on Nightly and Aurora, but other branches are
> going to have out of bounds access.

I cannot find same signature on 51.0a1. :mccr8, do you have same crash signature on 51.0a1?
(Reporter)

Comment 6

3 years ago
Yeah, I don't see any on 51 either.
(Reporter)

Comment 7

3 years ago
So hopefully this was fixed by bug 1291082.
Depends on: 1291082
(Reporter)

Updated

3 years ago
Keywords: sec-other
Ritu, although you reject uplift request for bug 1291082, this is filed as sec-other bug.

Could you reconsider uplift approval for bug 1291082?.  If still rejected, we should close this as dup or wontfix.
Flags: needinfo?(rkothari)
Let's call this "fixed" "depends on"
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Whiteboard: fixed by bug 1291082
Thanks Dan!
Flags: needinfo?(rkothari)
Group: layout-core-security → core-security-release
Flags: qe-verify-
Whiteboard: fixed by bug 1291082 → [post-critsmash-triage] fixed by bug 1291082
Whiteboard: [post-critsmash-triage] fixed by bug 1291082 → [post-critsmash-triage][adv-main51+] fixed by bug 1291082
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.