Closed Bug 1348931 Opened 7 years ago Closed 7 years ago

Possible integer overflow in allocation size in SilentChunk::SilentChunk?

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla55

Tracking Flags:

Tracking

Status

firefox-esr52

---

unaffected

firefox55

---

fixed

People

(Reporter: MatsPalmgren_bugz, Assigned: jwwang)

Details

(Keywords: csectype-uninitialized, sec-audit, Whiteboard: [adv-main55-][post-critsmash-triage])

Attachments

(1 file)

1348931_fix.patch 7 years ago JW Wang [:jwwang] [:jw_wang] 1.79 KB, patch	mozbugz : review+	Details \| Diff \| Splinter Review

Mats Palmgren (inactive)

Reporter

Description

•

7 years ago

Are the values multiplied here controlled by content?
http://searchfox.org/mozilla-central/rev/557f236c19730116d3bf53c0deef36362cafafcd/dom/media/mediasink/DecodedAudioDataSink.cpp#269-270
If so, it might lead to integer overflow and potential security issues.

Tyson Smith [:tsmith]

Updated

•

7 years ago

Group: core-security → media-core-security

Christian Holler (:decoder)

Comment 1

•

7 years ago

I just found this as well (because of the static analysis in bug 1279569), but I don't see the code being used anywhere.

The integer overflow here would lead to partial uninitialized data in mData.

Keywords: csectype-uninitialized, sec-audit

JW Wang [:jwwang] [:jw_wang]

Assignee

Comment 2

•

7 years ago

I will remove the dead code.

Assignee: nobody → jwwang

Component: Audio/Video → Audio/Video: Playback

JW Wang [:jwwang] [:jw_wang]

Assignee

Comment 3

•

7 years ago

Attached patch 1348931_fix.patch — Details — Splinter Review

Attachment #8849812 - Flags: review?(gsquelart)

Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)

Updated

•

7 years ago

Attachment #8849812 - Flags: review?(gsquelart) → review+

JW Wang [:jwwang] [:jw_wang]

Assignee

Comment 4

•

7 years ago

Thanks!

Keywords: checkin-needed

Carsten Book [:Tomcat]

Comment 5

•

7 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/e27e769a70e3

Keywords: checkin-needed

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 6

•

7 years ago

https://hg.mozilla.org/mozilla-central/rev/e27e769a70e3

Status: UNCONFIRMED → RESOLVED

Closed: 7 years ago

status-firefox55: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla55

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Group: media-core-security → core-security-release

Al Billings [:abillings - ex-MoCo]

Updated

•

7 years ago

Whiteboard: [adv-main55-]

Daniel Veditz [:dveditz]

Updated

•

7 years ago

status-firefox-esr52: --- → unaffected

Matt Wobensmith [:mwobensmith][:matt:]

Updated

•

7 years ago

Flags: qe-verify-

Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Possible integer overflow in allocation size in SilentChunk::SilentChunk?

Categories

(Core :: Audio/Video: Playback, enhancement)

Tracking

()

People

(Reporter: MatsPalmgren_bugz, Assigned: jwwang)

References

Details

(Keywords: csectype-uninitialized, sec-audit, Whiteboard: [adv-main55-][post-critsmash-triage])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type