Closed
Bug 1348931
Opened 7 years ago
Closed 7 years ago
Possible integer overflow in allocation size in SilentChunk::SilentChunk?
Categories
(Core :: Audio/Video: Playback, enhancement)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox55 | --- | fixed |
People
(Reporter: MatsPalmgren_bugz, Assigned: jwwang)
Details
(Keywords: csectype-uninitialized, sec-audit, Whiteboard: [adv-main55-][post-critsmash-triage])
Attachments
(1 file)
1.79 KB,
patch
|
mozbugz
:
review+
|
Details | Diff | Splinter Review |
Are the values multiplied here controlled by content? http://searchfox.org/mozilla-central/rev/557f236c19730116d3bf53c0deef36362cafafcd/dom/media/mediasink/DecodedAudioDataSink.cpp#269-270 If so, it might lead to integer overflow and potential security issues.
Updated•7 years ago
|
Group: core-security → media-core-security
Comment 1•7 years ago
|
||
I just found this as well (because of the static analysis in bug 1279569), but I don't see the code being used anywhere. The integer overflow here would lead to partial uninitialized data in mData.
Keywords: csectype-uninitialized,
sec-audit
Assignee | ||
Comment 2•7 years ago
|
||
I will remove the dead code.
Assignee: nobody → jwwang
Component: Audio/Video → Audio/Video: Playback
Assignee | ||
Comment 3•7 years ago
|
||
Attachment #8849812 -
Flags: review?(gsquelart)
Attachment #8849812 -
Flags: review?(gsquelart) → review+
Comment 5•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e27e769a70e3
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/e27e769a70e3
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Group: media-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main55-]
Updated•7 years ago
|
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•