WebGL Stack Overflow Bug (not exploitable)

RESOLVED INVALID

Status

()

--
critical
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: buch0b2, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

Steps to reproduce:



Poc:
---------------------------------------------------------------
    function Process()
    {
      var canvas = document.createElement("canvas");
      canvas.height = 0xC3C3;
      canvas.width = 0xC3C3;

      var gl = canvas.getContext("experimental-webgl");
      canvas.height = 0;
    }
---------------------------------------------------------------


WinDbg Log:
-------------------------------------------------------------------------------------------------------------------------------------
(1fd8.1d70): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000064 ebx=06f40000 ecx=0c55024c edx=000003a0 esi=06f4052c edi=7752e046
eip=7752defe esp=00092ff0 ebp=00093064 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
ntdll!memcpy+0xbbbe:
7752defe 53              push    ebx
0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00093064 7752e0f2 7752e046 000003a0 12780350 ntdll!memcpy+0xbbbe
*** WARNING: Unable to verify checksum for C:\windows\system32\igd10umd32.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\windows\system32\igd10umd32.dll - 
000930d8 6902d2ad 06f40000 00000000 000003a0 ntdll!RtlAllocateHeap+0xac
000930f8 68ef7171 000003a0 00093258 000931f8 igd10umd32+0x28d2ad
00093264 693189d6 12780350 0009327c 12780354 igd10umd32+0x157171
00093274 69318c5c 00000001 00000000 266b7a68 igd10umd32!OpenAdapter10+0xc5c6
00093288 6929caae 126c6150 00000002 00000001 igd10umd32!OpenAdapter10+0xc84c
000932f8 6922cd6a 00093328 266b7a68 00000001 igd10umd32+0x4fcaae
0009331c 6929ce18 00093350 00000001 00000025 igd10umd32+0x48cd6a
00093334 692c0088 00093350 00000001 000933dc igd10umd32+0x4fce18
00000000 00000000 00000000 00000000 00000000 igd10umd32+0x520088
-------------------------------------------------------------------------------------------------------------------------------------




Actual results:

Crash


Expected results:

Crash
(Reporter)

Updated

2 years ago
Severity: normal → trivial
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64

Comment 1

2 years ago
WFM in Fx50, 51b2 x64, 53.0a1 (2016-11-24) (32-bit) on Win10.
Severity: trivial → critical
(Reporter)

Updated

2 years ago
Hardware: x86_64 → x86
(Reporter)

Comment 2

2 years ago
in the case of x64,maybe crash with change 0xC3C3 to more big large number.
sorry my english is bad.

like this:

canvas.height = 0x7FFFFFFF;
canvas.width = 0x7FFFFFFF;
(Reporter)

Updated

2 years ago
Summary: WebGL Stack Overflow Bug → WebGL Stack Overflow Bug (not exploitable)

Comment 3

2 years ago
WFM in 51.0b2 (64-bit) & 53.0a1 (2016-11-24) (32-bit) with web console:
Error: WebGL: Requested size 2147483647x2147483647 was too large, but resize to 2047x2047 succeeded.debugger eval code:6:16
Error: WebGL: Requested size 2147483647x1 was too large, but resize to 8191x1 succeeded.debugger eval code:7:7
User Agent: Mozilla/5.0 (Windows NT 10.0; rv:53.0) Gecko/20100101 Firefox/53.0
User agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0

Can you please provide an accurate set of steps for the issue?

I have copy-pasted the `function Process` into the Web console, the browser did not crash but there was the following error:

"Error: WebGL: Failed to create WebGL context: WebGL creation failed: 
* Error during ANGLE OpenGL init.
* Error during ANGLE OpenGL init.
* Error during ANGLE OpenGL init.
* Error during ANGLE OpenGL init.
* Error during ANGLE OpenGL init.
* Exhausted GL driver caps."

I don't know if these are the steps for the issue.
Flags: needinfo?(yfdyh000)
Flags: needinfo?(buch0b2)
(Reporter)

Comment 5

2 years ago
why... i don't know...oh my computer is so low machine.

my computer spec:
http://i.imgur.com/sfH13Vv.png
(Reporter)

Comment 6

2 years ago
var canvas = document.createElement("canvas");
canvas.height = 0;
canvas.width = 0;
document.body.appendChild(canvas);

var gl = canvas.getContext("experimental-webgl");
canvas.height = 0x7FFFFFFF;
canvas.width = 0x7FFFFFFF;

This is the last.
it's my Computer problem sorry for do the report ;(
Flags: needinfo?(buch0b2)
Considering Comment 6 , please,  can you close this issue? 
If you don't know how, we will close it but we need to know if you agree with this resolution.
Flags: needinfo?(buch0b2)

Updated

2 years ago
Component: Untriaged → Canvas: WebGL
Flags: needinfo?(yfdyh000)
Product: Firefox → Core

Comment 8

2 years ago
(In reply to buch0 from comment #6)
> var canvas = document.createElement("canvas");
> canvas.height = 0;
> canvas.width = 0;
> document.body.appendChild(canvas);
> 
> var gl = canvas.getContext("experimental-webgl");
> canvas.height = 0x7FFFFFFF;
> canvas.width = 0x7FFFFFFF;
> 
> This is the last.
> it's my Computer problem sorry for do the report ;(

Still works for me.
2147483647
Error: WebGL: Requested size 1x2147483647 was too large, but resize to 1x8191 succeeded.debugger eval code:7:1
Error: WebGL: Requested size 2147483647x2147483647 was too large, but resize to 2047x2047 succeeded.debugger eval code:8:1
(Reporter)

Comment 9

2 years ago
(In reply to Vlad Bacia-Mociran [:VladB] from comment #7)
> Considering Comment 6 , please,  can you close this issue? 
> If you don't know how, we will close it but we need to know if you agree
> with this resolution.

yes, i don't know how to close issue so please close this issue

thanks Mr. Vlad...
Component: Canvas: WebGL → Untriaged
Product: Core → Firefox

Comment 10

2 years ago
(In reply to Vlad Bacia-Mociran [:VladB] from comment #4)
> User Agent: Mozilla/5.0 (Windows NT 10.0; rv:53.0) Gecko/20100101
> Firefox/53.0
> User agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101
> Firefox/48.0
> 
> Can you please provide an accurate set of steps for the issue?
> 
> I have copy-pasted the `function Process` into the Web console, the browser
> did not crash but there was the following error:
> 
> "Error: WebGL: Failed to create WebGL context: WebGL creation failed: 
> * Error during ANGLE OpenGL init.
> * Error during ANGLE OpenGL init.
> * Error during ANGLE OpenGL init.
> * Error during ANGLE OpenGL init.
> * Error during ANGLE OpenGL init.
> * Exhausted GL driver caps."
> 
> I don't know if these are the steps for the issue.

Maybe check your about:support - Graphics section.


I think it may need an expert to explain if it does cause problems in a particular environment...
Flags: needinfo?(buch0b2)
Based on comment 9 , closing this issue.

Please feel free to reopen it or file a new bug if you are still experiencing this issue.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
Resolution: WORKSFORME → INVALID
(Reporter)

Comment 12

2 years ago
WebGL rendeder:Google Inc. -- ANGLE (Intel(R) HD Graphics 4000 Direct3D11 vs_5_0 ps_5_0)
drivers:igdumd64 igd10umd64 igd10umd64 igdumd32 igd10umd32 igd10umd32

maybe my gpu using DirectX???
good night all.
thanks!!!!
You need to log in before you can comment on or make changes to this bug.