1308090 - Out of bounds read/null ptr dereference when combining a data URI f or a video element injected into the about:feeds context, and createImageBitmap for that video element.

Status: RESOLVED FIXED

(Core :: Graphics: Canvas2D, defect)

Description

[Jerri Rice (rehash pending)]

Attachment: elementInjectionFeed-testcase-new.html

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160919214112

Steps to reproduce:

Setup a video element injected into the about:feeds context with a data URI  misrepresenting the mime type as video/ogg for what should be audio/ogg.  I then time the playing of this video element with createImageBitmap which is the tricky part(think race condition).


Actual results:

When the timing is just right it casues a memory corruption crash, that I believe may  be exploitable.  The reason I believe this is when the timing isn't right to trigger the crash, it will return a valid promise object.

This leads me to believe that in those instances if one were to follow up and retrieve the image bitmap data it *should* reveal  memory that was read which is very serious imo.

This is an incredibly hard to reproduce issue.  Also crash submission fails in these instances.  I'm attaching a testcase from another bug which sets up the opening of a page with the about:feeds context, and also screenshots showing both the crashed out tab(e10s) and output to the global console showing that crash submission fails.


Expected results:

None of what does happen.

Comment 1

[Jerri Rice (rehash pending)]

Attachment: Screenshot - 100616 - 00:11:55.png

Crash submission failing.

Comment 2

[Jerri Rice (rehash pending)]

Attachment: Screenshot - 100616 - 00:15:39.png

A crashed out tab showing that the URL for the page is the about:feeds context.

Comment 3

[Jerri Rice (rehash pending)]

Once the page with the about:feeds context is loaded using the attached testcase the trailing code executed in the web console for that page with different timings will either cause a memory corruption crash, or return a valid promise object.

I'm currently lacking both the proper debugging tools and time to dig into this further.  Not to mention I just had people attempt a BE on my current room while I was dead asleep.  Authorities contacted but no help as usual.

Please help me follow up on this issue as it seems very serious, and my current situation is unnerving to say the least.

Sorry for the unneeded info, but this is getting completely out of hand.  I'm still trying to work through it all.

The code to execute is as follows:

document.querySelectorAll('video')[0].src ='data:video/ogg;base64,T2dnUwACAAAAAAAAAAC1v/BfAAAAAMVFfV4BHgF2b3JiaXMAAAAAAUSsAAD/////APQBAP////+4AU9nZ1MAAAAAAAAAAAAAtb/wXwEAAAB6cK4REC3//////////////////wYDdm9yYmlzHQAAAFhpcGguT3JnIGxpYlZvcmJpcyBJIDIwMDMwOTA5AAAAAAEFdm9yYmlzKUJDVgEACAAAADFMKMSA0JBVAAAQAAAgmDYQa6e11lprgqR2WmuqtdZaaya1tlprrbXWWmuttdZaa6211lpjIDRkFQAABABAKEoStGRSTEopZSBHjnLkOUjKJ6UoRwpi4jnoPfVka02mpORbTUopJQgNWQUAAAIAQAghhBBSSCGFFFJIIYUUYoghpphiyimnnHLKKccggwwyyCCDTDLppKOOOuqss846Cy200EIMscQSU2011tpzEMoopZRSSimllFJKKaWMMcYIQkNWAQAgAAAEQgYZZJBBCCGFFFKKKaaccgwy6IDQkFUAACAAgAAAAADHkBRJsRzL0RxP8iTPEi1REz3TM0XTNE3TNW1Vd3VVV3XVVnXVVmXTNW3TVmXTVXVXl3VXtnVd13Vd13Vd13Vd13Vd13Xdtm0gNGQVACABAKAjOZriKaJiGq7iOqoFhIasAgBkAAAEAKAJniEqoiZqouZpnud5nud5nud5nud5ngeEhqwCAAABAAQAAAAAAKBpmqZpmqZpmqZpmqZpmqZpmqZpmmZZlmVZlmVZlmVZlmVZlmVZlmVZlmVZlmVZlmVZlmVZlmVZlmVZQGjIKgBAAgBAx3EkR1IkRVIkx3IsBwgNWQUAyAAACABAUizFUjTHczxHdETHdExJlVTJlVzLtVwNCA1ZBQAAAgAIAAAAAABAEzTFUizHkixPMzVVUz1VVDXVUz3VVFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVYHQkFUAAAQAAAGdZphqgAgzklkgNGQVAIAAAAAQgQxTDAgNWQUAAAQAAEiR5CSJkpNSSjkMksUkqZSTUkp5FJNHNckYlFJKKaWUUkoppZRSSikMkuUoqZSTUkpJjJLFKKlSk1JKeZSTJzXJ2JNSSimllFJKKaWUUkpZkJInLekalFJKSY6SBi3Z1JNSSolSlCg52Z6UUkoppZRSSimllFJK+aCUD0IppZRSSrnak2s9KaWUUkoZo5TwSSmllFJKKaWUUkoppZRSyghCQ1YBAEAAAIBx1iiHopPofHGGcqYpSCqUJnRvkqPkOcmttNycbsI5p5tTzvnknHOC0JBVAAAgAACEEFJIIYUUUkghhRRSiCGGGHLIKaegggoqqaSiiiqqrLLMMssss8wyyyyzzDLrrKOOOgsphJJCC63VGGuMsdXenLQ1RymdlFJKKaWUzjnnnCA0ZBUAAAIAQCBkkEEGGWUUUoghppxyyimopJIKCA1ZBQAAAgAIAAAAECXTMR3RERXRER3RER3RER3P8RxPEiXR8ixRMz1TNE3TVWVXlnXZlm1Xl3Vbl33bt3Xbtn3d2I3fOI7jOI7jOI7jOI7jOI5jCEJDVgEAIAAAAEIIIYQUUkghhZRiijHnoIMQQimB0JBVAAAgAIAAAAAARXEUx5EcSZIkS7IszdI0TdM0T/REz/RUzxVl0RZtz/Vs0fZcT/VUTxVVUzVd01Vd13Vd1VVlVXZt27Zt27Zt27Zt27Zt27ZlIDRkFQAgAQCgIzmSIimSIjmOIzmSBISGrAIAZAAABACgKIriOI7kWJIlaZIomZZquZrs6Z4u6qIOhIasAgAAAQAEAAAAAABgiIZoiI5oiZooiqIoiqIoiqIoiqIoiqIoiqIoiqIoiqIoiqIoiqIoiqIoiqIoiqIoip7neZ7neZ7neUBoyCoAQAIAQEdyJMdSLEVSJMVyLAcIDVkFAMgAAAgAwDEcQ1Ikx7IsS9M0z/M8T/REURRF01RNFQgNWQUAAAIACAAAAAAAQFEUy7EcSdIcTxIdURIl0RIlURM1URRFURRFURRFURRFURRFURRFURRFURRFURRFURRFURRFURRFURSB0JCVAAAZAAClxRgjhBCOoxZTTD1YzEEHLdRgQWqt5RaEpZRDjDkNGoTUSUm1d4w5xAyiIDoJGTQCeq69dtoQ5kH4IHKFJAhCQ1YEAFEAAIAxiDHDGHLOScmkRM4xCZ2UyDlHpZPSUSktphgzKSWmFGPknKPSScmkpBhLih2lEmOJrQAAgAAHAIAAC6HQkBUBQBQAAIIMUgophZRSzCnGkFKKMeUcUko5pphTzjkIHYSKMQadgxAppRxTzCnGHITMQeWcg9BBKAAAIMABACDAQig0ZEUAECcA4JAkz5M0SxQlSxNFTxRd1xNF15U0zRQ1UVRVyxNN1VRV2RZNVZYlTRNFS/RUUxNFVRVVU5ZNVbVlzzRt2VRV3xZV1bZl3RZ+V7Z93RNN2RZV1bZNVbV1WbaFYbZ1X5g0zTQ10VNVzRNV1VRV2zZV1bY1UVRVUVVlWVRVWVZdWRdWV/aNy/NU1TNN2RVV1ZVVWfVtVXZ931RVXVdl2fdVWTZ+29aF39aFpaiqtm66ri6ssqwLty7TdeE3Spommpooqqrmiapqqqptm6pq25YnqqqoqrbsmaZqq7Is7Kor274miqoqqqrsiqrqyqrs6roqu74uqqquq67s66bq+rru+9iy7iuj6uq6KsvCr8quLty+b9R13xg+05RtU1V131RV3bd1XVhuW1eWUVV9XZVlYVhlWRh24UcXhsKoqrquyq7vq7JsDLuvK8vtG8My6zrj9oXhuH1fWY5lyReOpWvbvjH7NuX2haWv/MowHEeeadqyqKq6baqu7cu6rSy37xvDqKq+rsoy4XRl3deNX1lu3TeOUXV1XZVlYVllWRh24VeWXfhxbZty+zpltn2lbxz5vjCUbVtoCz/l9n3lGJYh4xgSAAAw4AAAEGBCGSg0ZEUAECcAACnlnGIKQqUYhA5CSh2ElCrGIGSOSamYgxJKSS2EklrFGISKMQkZc1JCCS2FUlrqIKQUSmktlJJaai3GlFqLHYSUQikthVJaSy3FllqLtWIMQuaYhIw5KKGUlkIpqWXOSemck9I5J6WU1FopqbWKMSmZc1I65ySFUloqJbUWSmmtlNJaSaW11lqsrbVYQymphVJaKyW1llqqrbVWa8UYhMwxCRlzUEIpLYVSUqsYk9I5RyVzTkoppbVSSmqZc1I656R0zkkpqbRWUmktlNJaSSW2UEprrbVaU2qthlJaK6W0VlJprbVWa2utxg5CSqGU1kIpraXWakytxRhKaa2U0lpJqbXWYq2ttVpDCa2FUlorJbXWWqqxtRZrai3G1lqtLbZaY6wx11pzTinFmFqqsbVWa4stt1hrzh2ElEIprYVSWkutxZhaizWU0lIppbVQSmstthpTa7GGUlorpbRWUmqttVZri63GlFKMrbUaU2qxxlpzji22nFqLtbVWa2qt1lhrzrHGHAsAABhwAAAIMKEMFBqyEgCIAgAgCFHKOSkJQo45R6lBiDnnKFWOQSihtYo5KKG01jknoaUYO+egpBZjSamlGGstKbUWY60FAAAUOAAABNigKbE4QKEhKwGAKAAAxhiEGIPQGKMUYxAag5RiDEKkFGPOQYiUUsw5CBljzkEoJWPMOQilhBBKKCWlEEIopaRUAABAgQMAQIANmhKLAxQasiIAiAIAAIxBjCHGEHROSiclctBJ6aQ0EEJqnaXOUmqxxJhZKrGVGBsIHbWQWkatxFha7KiVGEtsBQCAHTgAgB1YCIWGrAQA8gAAEGSUYsw55xBCSjHmnHMIIaUYc845pRRjjjnnnFKKMeacc44x5phzEELIGGPOOQghdM45ByGEEDrnnIMQQgidc85BCCGEzjnnIIQQQgEAQAUOAAABNopsTjASVGjISgAgDwAAMEYp5yCU0ijFGIRSUmqUYgxCKSlVzkEoJaXWKucglJJSax2EUlJqrcYOQikptRZjKSWl1mKstZSSUosx1ppaii3WWnNOqcUYY605FwCAu+AAAHZgo8jmBCNBhYasBADyAAAQhJRijDHnkFJMMcaYc0gpxRhjzDnFFGOMOeecUowxxpxzjjHGmHPOOccYY8w555xjjDnnnHPOMcacc84555xzzjnnnHPOOeecc845AQBABQ4AAAE2imxOMBJUaMhKACAPAAAwBkIIIYQQQQghhBBCaCCEEEIIIYQQQgghhBBCCCGEEEIIIYQQQgghhBBCCCGEEEIIIYQQQgghhBBC55xzzjnnnHPOOeecc84555wTAOJ44QDoM2GjyOYEI0GFhqwEAFIBAABjEGJMQkqtNUw5ByGV2GJsFHMOQkkxthg5J6Gl1mLMtXJOSkqxxVpzJ6WlGGvOPfcOSmsx9pxzziWlGmvtPffeS2ut1pp77rmn1mrtPffee28txpxr7r333mrNtffee+891lhzz7333nsBACYRDgCICzasjnBSNBZYaMgqACAGAIAwxBiEEFJKKaWUYooxxhhjjDHGnHPOOeecc84555wTAACY4AAAEGAFuzJLqzaKmzrJiz4IfEJHbEaGXErFTE4EPVJDLVaCHVrBDV4AFhqyEgAgAwBAIMcee2stQsw5SSXGEiGlIJRaQ6WYclBiixlSRilnMXXMKcYYxVw6h5RBEEPoIGPGKEqptVI6hKC0mGNsmXIAAAAIAgAMRMhMIFAABQYyAOAAIUEKACgsMHQMFwEBuYSMAoPCMeGcdNoAAAQhMkMkIhaDxIRqoKiYDgAWFxjyASBDYyPt4gK6DHBBF3cdCCEIQQhicQAFJODghBueeMMTbnCCTlGpgwAAAAAAQACABwCAZAOIiIhmjqPD4wMkRGSEpMTkBCUAAAAAAIAA4AMAIEkBIiKimePo8PgACREZISkxOUEJAAAAAAAAAAAAAgICAAAAAAABAAAAAgJPZ2dTAASgJAAAAAAAALW/8F8CAAAA8j39PyUwRVBWUv+mQkI/REA/Uk5J9powJigtF1JTT/9FNjU1T1JD1XEBVAG1Dct/jByBHJl980qgQA54nE5NqcyTJJ6RWTPMYAzKGKUZYPWENVZgPoJJ8csC/AjRDFgq8Z4JsLTRsjiAAICWgDMX6f+u99258y1+ZpU83o6++bBdskkeb9PffVkrN/QkGn5ei1Y4/B0PKdWRqctr7iYB1P2WE3n/anGvjigc4fM8OA63aD+7WKlI2VX4OpKp0PQ1VhAQ477aZ/uduNiRFYk5kYu/CX/dYfz8YVxGiTCpIG66v6ZieUzI+L8PqmGtLgr0JY9UrE+Ta5F19hcO+5cQW4pL+96GOriCTbY01AWwldRBtpCVm6E4OTjzt0Xz4yztve5sTCMZqzFJiU+ZFQFWWREyxm8eLK3Sku06EAyCmyH0IwTiAAw6lzvENtI2ZHUvOUC09oRrvK/3hq4FniaRdTBA5DnfjR62RT87bVMFriFyeVpHyfNOMbty+czA6o2S/3hGeM+FJJdT6cX0NlRkyvL868oLZbPSZ+0OswlE/vQpX8GdObfJ+PHNAADfn93dBXT/yQDAc9MAoP8UAOizkAD0mMDKWyUA8N8BsOm4MwgAjBVg+39nEQEAI8CfCQCMBTRfAIARcO8HADAEpnRbHQA4gAkYgWMMABzADhBFAACYV7kZKmLjekCCjfr85v0pZaKYZ9nwcDgcdrvda/Dy+GbZbEaRIqUM69fXo/d+Zi0AWLoZa+ztIcsDSo5DqQKqNA+b1oEQQohhGJbS7HDqSXXJ6FgAMK3N3n/XWkEpAThOaVEzm6ispCUEhaIoJSEiiHBZlJnBzEwLF+/eKT/dN9MTGqEoSgCU0t00QggAAJi0UQpUQa+WpRQAKCCvhjwAB+dc81jh162XuOIAAAAAhOozA4CUUuaTw0tdZz/LLAAADgCXwgAAgLlIKBk/bwWDUiQAAAAu0AwAAKD+pcZxFjlHAABwBICABgAAgNxLwmnZQEgIAACOBdDRAABAqfyBqJKtY2YAAAAgJFId+nN9iBf5S3/lq7yll/RQHvQr3ZeH96gvCgAYOjw2BAAAAFkn+5sCAADf0foVAHAA/EGPe1m6sM7UlEwATgj5AoGEwRJW9qzHfSlY22TuwvC4sGh/YIJ+SAU8S3qc9AyJetTjJrtLlYdUaGAXJ7kQvmWz9DFvWB2hdRifBJoAnBAP2RI2DZawsmcT6ZJydnkMMcqNa2S4NByPUxgZ0J7lfAh3Wn0dkhT/9QoheCLgicE9QyMBBDqPWRmpTGji/c9sX4HLhHgkAQbuWuH9SGk24gt7Z65SisiJK/rBEzfJJd3YeTilCcPJg1EQR+ES+R7yTSyD9DlvGB2hKMZmJgCXiQtEEomQwZL8sMK8SBQkEyfWrk9wYQMO4i35sNFkxSBSRBMCtGc9H7I7qX45Jin+awMR3CpXIQH8NY97GUQKDd7/zPYVkIkj6CGR6mOl9/2yp5X6YXX0AVVgnO6sbgjkQntGGqGyqnSeQRob5okDjC2ASwh4gAgABDqPBRmpspDm/c9sT+HJOALZDyFuovTeP06NpT7pRpix5nGiNbNlEEd7PCZk9FghWSrwX8ZnD08kXJtnTm0S/ElvdHq5O22NC4f9z2xPIR+bKl3jSuIMbYHgCTbJ/kQtFoZ7pzsx1emt9/AMknpztOu0Qyp4SKPyeUo+snVG0EutI17l2m6eTfglQBB1rEjoBiQil5NUp0qbqUlrejfJzjbJapeX0Nc+Pp7sx4OpPByd3TJnRN6oU8ffmTWmevr9XPvX34her6dNtoTox11PBN/X1JmJ828MIFqAG4MrHlTxFnugym+sftwksyFr6+6qkZmgCX8fNeeBWoOpJZdnRV7+fN0l438fv5+WrOM/M+c2d4y3wj+C8lz4xnJiPzUP0e9+3hzoVAj6FPzahgADNry7HQ/DMAzDcDO+PS6HYbECDgDgABTAPYdWWAEA+NdQUcp5cv1fnm1tTf3UXi6Yv0xMhiHvAhsB2lrfq2wisuyxKzU9KevHcvnItjwXLy/YzheqTwvlp2r5xH5hwX7h7OKXs2d/zi68XrywYF+tWouymfcSvArwC6jA0CSYbwGCaJ5np2F+ltOsvKdhJSuNrLze3Ud5Og1Mp/I4lcesvA54AfiZ3vf7u0/8+7/7dOxiBUDg3Ed5nE5vj/PYj5OW+VkOWNCv4/Pr+ep6zVD9OD0RDezhPPdnZj6dmZmBAI9yYpyemJhgDwB4HZ+dZwI2FXy79x8QYMKbwHEceRxHHrmpI2kHAFCYCmOMMQAAxOrxICH2KR1Orv1hxiiTRNpWliZpoZvl8GSo/NLhhaCpkWQoDkGMoJ6ow2ToJsAloEfSFAECAIxyF6gv8G7mDHdTXMUhc0D1BP3AYamXLCHQ5ADnVrtZ5l7827zy/Ewrh5k+bmpi2ag8T5HDkCePVrtZ4sVTlGdISXMAHAnPBx8MxDwQgNNAAn6vzzFo22ZbUlL5f5c3c9we7NceFr3/d3kzO/WAX3ty/GUCFAnfZicMxDgQAAYCKuBt/92XrrUiNUno9s2v5EiJvwbRNV4krgEcCV9WbxiIcSAADARkAq/7v1WlRkqqSfH/DwnojZQuwv+yy5fSKfwBDAkvuw0DMY0AnAIq4G77XKVpNdSRcspsvJNzO/AR8v7OT1m9P7/b8vYjs9QAFAm/O+dgCEY2eAAAACTgd/vbN02tAAAU5W4XpONvqgcK/Gq7tseRP/5nTCwI+3X2JYPN0tv79trW1Kw13rN8/s7hu2i3//cfPVPh+jfn/ySxXI/m7/3b514JS3559++7/Uwcw4WL/y0AvPEWsGNydi8Y9H0e6ui6j7+fbdzKZGpCHZ84/9lxUnv7l4f/K2p/Hs6M7Z8+iuvUffXm7Ca0d0aT8cjxnTgs37eXSwqbTY/cDKmN0Eg4WKejJTLEAR2SYv4J4kT7Y/BCbvv2yUTRCkxcciN+dgc/DXz2bz/OT+7bPNwe2MWDc2mhM2uFOw9kPf1fHGJGdOkb71NedsUPF4R3MmI1zWzdKUXvkhbsThgRJwwAvBkAIMk3pwENV5A6gEsAwMLEAvQQoHCXdNMqDJcAcHnwplWPv8suEbPYZ1a4SUSE1FwORoJzt4XWsllI1V6T8PwrkmwOhUWaeIhxbuaNVziInv+zadWOnkRDbUTkgRl1VET7db4vxTM8IaYYF5AS5o4lKqU2PiJOflOekJ5G2UsdmmEhu/n92/fL1+3t7fHhNPXTWL5dUntO7dNnrG9T54Ip/pIzq/zx+YAi9u5SRMrjNYnbbEpQ/NJGTgCMbbwc3oV7+MXxccDp1TkwPKdZ6cMIysAei6DBLMx0B+RjOtmYKC4Mp91uir9FBqZmQaZ9lDGpqTYdY/HgpNLNzubeni4n3So+vA+wbZr9/Fs1JYGCYh3Etz6mgEoDWe8SKmRTeHBTSb2R0ThHQaLaFxQpabQFXhoDvXjcAoADzPGWgdecUXGn2KpRZ2hKDC50/8T4LLGCi2hR1E/DnD7nJXrbLXxe/XACyMwgaKe9rFVea90AzPluCy4AHHmrD2WAKfj+ixU9s153Zo0P2twCs7PB8VtZqP5RGwIJiqFcmbdCrGXeML8/vR6s8T44ObIAkMK+aQbGaW9zpnd3CCuS3+wW9ubjZFo4IWlm7WMTVCOEyooc+Whgp6YynxnJd9T1Fr2fAEah/rzbyo2g0twjpblNi6i4r3dl43aq97aaJt7/3czcr3jV/lav7m6OqAXLoNjbzu7FcU/UsPm970B8WX6D6BJ8E75Cyr7mTgCk6Y725txMOM7y33ujc2e1seEm1kIAkiXu2krl837l4Xn0tfHX7s39wzfhlshid23zT3h9/+is8M/Q+H3/1tCRrdseiO7ceTgX/ojMq82g/ygAJAn7FTj3v9hp/+/DdsbqudbsE8gBJ1IF/zrXan32/x9/Ff/fSOPcoNvWbm5Zli5/7MlP4eBAJ4WfFlPPg3zc5N0bADoV/N6GL26g2YYDe2l+Nc/zdI6do82x6kUeC6TupFXdMgoA2Bh6EW4aCobfF/HZz5ntu/b7/uwSsI0j1+/Pp9aZsrJs3ngyNuYLdoU+Aice6g/R7neebPrTg2NWEcDgHn1Kn/0vSDLhSeW88EqQfHsoQj06jH1GfobYgWoTjHccCk9C5NwDdfbiPTMx38+Eyp0UoRYCbmj6F4SKYT6LzH71+v0yJuSnqZaYKbJ5YjSxlDEtlQURSdWBUDASVPNCqopEB/52lpTj94TpZKwXv1MdxELSAD4V/HVrHzDAhgUg2GWTcwKMAAAAkKzOB3mZwup9nH2mMft57M8ghXfZdxZPxrw1LJ5o3oQYP1OAeKI5cqRDs3OkaigSGelovRNngEgb5ztoHkKbusQIB+Ii/Wwo4uSNCErm20btGJaWz9LyWRqgiGMADg==';document.querySelectorAll('video')[0].play();setTimeout(createImageBitmap.bind(window,document.querySelectorAll('video')[0]),150)

Changing the timing around is crucial.

I know this a mess, but I believe I may have more pressing issues for the time being.

Comment 4

[:Gijs (he/him)]

https://crash-stats.mozilla.com/report/index/bb593ccc-acee-4b44-89e8-6f2a22161006

Uh. That's not very helpful.

Comment 5

[:Gijs (he/him)]

Local nightly build gets me: EXC_BAD_ACCESS on 0x4c

#0	0x0000000111c94901 in mozilla::layers::Image::GetFormat() [inlined] at /Users/gkruitbosch/dev/builds/opt/dist/include/ImageContainer.h:196
#1	0x0000000111c94901 in mozilla::dom::ImageUtils::ImageUtils(mozilla::layers::Image*) [inlined] at /Users/gkruitbosch/dev/firefox-unified/dom/canvas/ImageUtils.cpp:248
#2	0x0000000111c948fa in mozilla::dom::ImageUtils::ImageUtils(mozilla::layers::Image*) at /Users/gkruitbosch/dev/firefox-unified/dom/canvas/ImageUtils.cpp:246
#3	0x0000000111cafc37 in mozilla::dom::ImageBitmap::ImageBitmap(nsIGlobalObject*, mozilla::layers::Image*, bool) [inlined] at /Users/gkruitbosch/dev/firefox-unified/dom/canvas/ImageBitmap.cpp:401
#4	0x0000000111cafbb6 in mozilla::dom::ImageBitmap::ImageBitmap(nsIGlobalObject*, mozilla::layers::Image*, bool) [inlined] at /Users/gkruitbosch/dev/firefox-unified/dom/canvas/ImageBitmap.cpp:405
#5	0x0000000111cafbb6 in mozilla::dom::ImageBitmap::CreateInternal(nsIGlobalObject*, mozilla::dom::HTMLVideoElement&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::ErrorResult&) at /Users/gkruitbosch/dev/firefox-unified/dom/canvas/ImageBitmap.cpp:829
#6	0x0000000111cb1869 in mozilla::dom::ImageBitmap::Create(nsIGlobalObject*, mozilla::dom::HTMLImageElementOrHTMLVideoElementOrHTMLCanvasElementOrBlobOrImageDataOrCanvasRenderingContext2DOrImageBitmapOrArrayBufferViewOrArrayBuffer const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::ErrorResult&) at /Users/gkruitbosch/dev/firefox-unified/dom/canvas/ImageBitmap.cpp:1437
#7	0x00000001113c6f81 in nsGlobalWindow::CreateImageBitmap(mozilla::dom::HTMLImageElementOrHTMLVideoElementOrHTMLCanvasElementOrBlobOrImageDataOrCanvasRenderingContext2DOrImageBitmapOrArrayBufferViewOrArrayBuffer const&, mozilla::ErrorResult&) at /Users/gkruitbosch/dev/firefox-unified/dom/base/nsGlobalWindow.cpp:14417
#8	0x0000000111a28fb1 in mozilla::dom::WindowBinding::createImageBitmap(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) [inlined] at /Users/gkruitbosch/dev/builds/opt/dom/bindings/WindowBinding.cpp:12699
#9	0x0000000111a28821 in mozilla::dom::WindowBinding::createImageBitmap_promiseWrapper(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) at /Users/gkruitbosch/dev/builds/opt/dom/bindings/WindowBinding.cpp:12837
#10	0x0000000111a240db in mozilla::dom::WindowBinding::genericPromiseReturningMethod(JSContext*, unsigned int, JS::Value*) at /Users/gkruitbosch/dev/builds/opt/dom/bindings/WindowBinding.cpp:14791
#11	0x0000000113b5825b in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [inlined] at /Users/gkruitbosch/dev/firefox-unified/js/src/jscntxtinlines.h:239
#12	0x0000000113b58156 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /Users/gkruitbosch/dev/firefox-unified/js/src/vm/Interpreter.cpp:458
#13	0x0000000113b52397 in js::CallFromStack(JSContext*, JS::CallArgs const&) [inlined] at /Users/gkruitbosch/dev/firefox-unified/js/src/vm/Interpreter.cpp:509
#14	0x0000000113b5238f in Interpret(JSContext*, js::RunState&) at /Users/gkruitbosch/dev/firefox-unified/js/src/vm/Interpreter.cpp:2922
#15	0x0000000113b450d8 in js::RunScript(JSContext*, js::RunState&) at /Users/gkruitbosch/dev/firefox-unified/js/src/vm/Interpreter.cpp:404
#16	0x0000000113b58550 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /Users/gkruitbosch/dev/firefox-unified/js/src/vm/Interpreter.cpp:476
#17	0x0000000113b58716 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) at /Users/gkruitbosch/dev/firefox-unified/js/src/vm/Interpreter.cpp:522
#18	0x00000001139d649b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) at /Users/gkruitbosch/dev/firefox-unified/js/src/jsapi.cpp:2836
#19	0x0000000111b7a295 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) at /Users/gkruitbosch/dev/builds/opt/dom/bindings/FunctionBinding.cpp:36
#20	0x00000001113c030d in void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) [inlined] at /Users/gkruitbosch/dev/builds/opt/dist/include/mozilla/dom/FunctionBinding.h:70
#21	0x00000001113c02f0 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) at /Users/gkruitbosch/dev/firefox-unified/dom/base/nsGlobalWindow.cpp:12304
#22	0x00000001113b71d9 in nsGlobalWindow::RunTimeout(nsTimeout*) at /Users/gkruitbosch/dev/firefox-unified/dom/base/nsGlobalWindow.cpp:12547
#23	0x0000000111399157 in nsGlobalWindow::TimerCallback(nsITimer*, void*) at /Users/gkruitbosch/dev/firefox-unified/dom/base/nsGlobalWindow.cpp:12793
#24	0x0000000110698d68 in nsTimerImpl::Fire() at /Users/gkruitbosch/dev/firefox-unified/xpcom/threads/nsTimerImpl.cpp:480
#25	0x000000011068c0cd in nsTimerEvent::Run() at /Users/gkruitbosch/dev/firefox-unified/xpcom/threads/TimerThread.cpp:286
#26	0x000000011068fede in nsThread::ProcessNextEvent(bool, bool*) at /Users/gkruitbosch/dev/firefox-unified/xpcom/threads/nsThread.cpp:1082
<snip>


AFAICT CreateInternal is being called with a nullptr data, ie

  layers::Image* data = lockImage.GetImage();

returns null.

It looks like the code:

  // Create ImageBitmap.
  ImageContainer *container = aVideoEl.GetImageContainer();

  if (!container) {
    aRv.Throw(NS_ERROR_NOT_AVAILABLE);
    return nullptr;
  }

  AutoLockImage lockImage(container);
  layers::Image* data = lockImage.GetImage();
  RefPtr<ImageBitmap> ret = new ImageBitmap(aGlobal, data);

 should nullcheck data just like it nullchecks container.

Comment 6

[:Gijs (he/him)]

Attachment: Patch v0.1

Comment 7

[:Gijs (he/him)]

(In reply to :Gijs Kruitbosch from comment #6)
> Created attachment 8798443 [details] [diff] [review]
> Patch v0.1

Forgot to mention: this avoids a crash for me locally. The promise I end up with is rejected with an error, which I think is the expected behaviour here.

Comment 8

[Daniel Veditz [:dveditz]]

If there's a timing issue lurking here then the proposed patch will get the null deref crashes out of the way and then any remaining crashes you can trigger should stand out more

Comment 9

[Jeff Muizelaar [:jrmuizel]]

Comment on attachment 8798443 [details] [diff] [review]
Patch v0.1

Review of attachment 8798443 [details] [diff] [review]:
-----------------------------------------------------------------

Why/when does lockImage.GetImage(); return NULL?

Comment 10

[:Gijs (he/him)]

(In reply to Jeff Muizelaar [:jrmuizel] from comment #9)
> Comment on attachment 8798443 [details] [diff] [review]
> Patch v0.1
> 
> Review of attachment 8798443 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Why/when does lockImage.GetImage(); return NULL?

I'm not familiar with this code, so I'm really not the best person to ask. This is also why I didn't take the bug. But AFAICT:

https://dxr.mozilla.org/mozilla-central/rev/da986c9f1f723af1e0c44f4ccd4cddd5fb6084e8/gfx/layers/ImageContainer.h#655-671

AutoLockImage gets the video's ImageContainer and asks it for its images. If the array it gets back is empty, lockImage.GetImage() will return nullptr.

Why would the array be empty? Well, the 'intuitive' explanation here, from my perspective, is because you have a <video> element that loads an audio file that's pretending to be a video. We will happily play that, but there won't be an image stream to have images from. I haven't followed all the code to verify this is true, though. I don't know how the poster attribute factors in - I can reproduce without it (and also without all the about:feeds stuff). Probably worth writing a crash test to go with this.

Comment 11

[Jerri Rice (rehash pending)]

(In reply to :Gijs Kruitbosch from comment #10)
> (In reply to Jeff Muizelaar [:jrmuizel] from comment #9)
> > Comment on attachment 8798443 [details] [diff] [review]
> > Patch v0.1
> > 
> > Review of attachment 8798443 [details] [diff] [review]:
> > -----------------------------------------------------------------
> > 
> > Why/when does lockImage.GetImage(); return NULL?
> I can reproduce without it (and also without all the
> about:feeds stuff). Probably worth writing a crash test to go with this.

Interesting, because I could not get this to work without about:feeds.

Comment 12

[Jerri Rice (rehash pending)]

Removing bug 1307857 from the depends list since this apparently can work without about:feeds.  Did you execute the code in an iframe with the sandbox attribute or what?

I did in fact try multiple times to trigger this from a normal content webpage but maybe I just didn't try hard enough.

Comment 13

[:Gijs (he/him)]

Attachment: Simplified testcase

To answer the 'where do you see this outside about:feeds' question, here's a testcase that crashes my nightly if you click the button. I'm running it on localhost, but I would assume it'll work on bugzilla as well...

Comment 14

[:Gijs (he/him)]

Comment on attachment 8798443 [details] [diff] [review]
Patch v0.1

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Well, the patch fixes a nullptr issue, so I guess it should be kind of obvious, but OTOH if it's a nullptr crash that's sec-low and we wouldn't be having this conversation. I'm just not sure about whether there's anything else lurking here. I haven't seen anything else, but that's no guarantee.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
We haven't really looked for an actual security problem (beyond nullptr dos crash)

Which older supported branches are affected by this flaw?
I expect everything. The blame on this code dates to Fx42, so that'd include ESR.

If not all supported branches, which bug introduced the flaw?
bug 1044102

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Should be easy for this nullptr crash. Unknown for anything else that might be lurking.

How likely is this patch to cause regressions; how much testing does it need?
Very unlikely, shouldn't need much testing. It should be easy to convert the attached testcase to an actual crashtest.

Comment 15

[Al Billings [:abillings - ex-MoCo]]

Making this a sec-low in lieu of other suggestions and clearing sec-approval. Let's check this into trunk.

Comment 16

[:Gijs (he/him)]

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/3e30051824704f61374030a645c5be6219d2e201


Filed bug 1309838 for getting a crashtest landed for this.

Comment 17

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/3e3005182470

Comment 18

[:Gijs (he/him)]

Comment on attachment 8798443 [details] [diff] [review]
Patch v0.1

Approval Request Comment
[Feature/regressing bug #]: createImageBitmap against a video element
[User impact if declined]: crashes!
[Describe test coverage new/current, TreeHerder]: I've written a test in another bug that I intend to land soon. But this is a 4-line patch to do a nullcheck that mirrors another nullcheck right above it, so we should be just fine.
[Risks and why]: none, see above.
[String/UUID change made/needed]: nope.

Comment 19

[Daniel Veditz [:dveditz]]

If this is a guaranteed nullptr (as the fix suggests) then it's just a DOS and doesn't need to be hidden. Keeping hidden for now in case something else is lurking here that wasn't clear to us in the first description.

Comment 20

[:Gijs (he/him)]

(In reply to Daniel Veditz [:dveditz] from comment #19)
> If this is a guaranteed nullptr (as the fix suggests) then it's just a DOS
> and doesn't need to be hidden. Keeping hidden for now in case something else
> is lurking here that wasn't clear to us in the first description.

fwiw, I tried for a while to crash on a build with the fix I wrote here, using the testcase I attached, with various setTimeout values, and I was no longer able to crash at all. Of course, maybe even more thorough testing by QA could find something else...

Comment 21

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8798443 [details] [diff] [review]
Patch v0.1

Crash fix, Aurora51+, Beta50+

Comment 22

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/174c8427ef9f
https://hg.mozilla.org/releases/mozilla-beta/rev/b7adb2f10487

Comment 23

[Jerri Rice (rehash pending)]

I believe to exploit this it would require combination with another memory corruption bug at the very least.