Closed
Bug 1348936
Opened 7 years ago
Closed 7 years ago
Possible integer overflow in allocation size in BasicPlanarYCbCrImage::CopyData?
Categories
(Core :: Graphics: Layers, defect)
Core
Graphics: Layers
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: MatsPalmgren_bugz, Assigned: sotaro)
Details
(Keywords: csectype-intoverflow, sec-want, Whiteboard: [post-critsmash-triage][adv-main54-])
Attachments
(1 file)
|
2.15 KB,
patch
|
nical
:
review+
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Are the values multiplied here controlled by content? http://searchfox.org/mozilla-central/rev/557f236c19730116d3bf53c0deef36362cafafcd/gfx/layers/basic/BasicImages.cpp#114 If so, it might lead to integer overflow and potential security issues.
|
||
Updated•7 years ago
|
Group: core-security → gfx-core-security
|
||
Updated•7 years ago
|
Keywords: csectype-intoverflow
|
||
Comment 1•7 years ago
|
||
Milan, can you please help find someone who can investigate?
Flags: needinfo?(milan)
I think that these kinds of images only come from video which means that we would have run into trouble or handled bad size much earlier, but it may be easier to just use CheckedInt. Either way, Sotaro should know best.
Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(milan)
|
Assignee | |
Comment 3•7 years ago
|
||
We already check the size just before allocation, it should not cause integer overflow. http://searchfox.org/mozilla-central/rev/557f236c19730116d3bf53c0deef36362cafafcd/gfx/layers/basic/BasicImages.cpp#106
|
|
Assignee | |
Comment 4•7 years ago
|
||
But we could use CheckedInt to be more safer.
|
|
Assignee | |
Comment 5•7 years ago
|
||
|
|
Assignee | |
Comment 6•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=6cc6e07db4570ea665c16d15e1f048470e7e2e98
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8852748 -
Flags: review?(nical.bugzilla)
|
||
Updated•7 years ago
|
Attachment #8852748 -
Flags: review?(nical.bugzilla) → review+
|
|
Assignee | |
Comment 7•7 years ago
|
||
Comment on attachment 8852748 [details] [diff] [review] patch - Fix BasicPlanarYCbCrImage::CopyData() [Security approval request comment] How easily could an exploit be constructed based on the patch? Hard. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No Which older supported branches are affected by this flaw? Yes. If not all supported branches, which bug introduced the flaw? Exist on all supported branches. The problem is not serious since Bug 701259. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? No, but it is easier to create with CheckedInt32. How likely is this patch to cause regressions; how much testing does it need? It is not likely to cause the regression. Current tests seems enough.
Attachment #8852748 -
Flags: sec-approval?
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8852748 [details] [diff] [review] patch - Fix BasicPlanarYCbCrImage::CopyData() This is rated "sec-want" and doesn't need sec-approval+ to go into trunk. Only sec-high and sec-critical rated bugs (and all security bugs need a rating) require sec-approval. https://wiki.mozilla.org/Security/Bug_Approval_Process
Attachment #8852748 -
Flags: sec-approval?
|
|
Assignee | |
Comment 9•7 years ago
|
||
Thanks!
|
|
Assignee | |
Comment 10•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ae40354e5a083eb11e1491028d0cdfe3be5e31a8
|
||
Comment 11•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ae40354e5a08
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
|
||
Comment 12•7 years ago
|
||
Given the severity of this bug, this doesn't seem worth a backport beyond maybe to Aurora54. Would you agree with that, Sotaro?
status-firefox52:
--- → wontfix
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox-esr45:
--- → wontfix
status-firefox-esr52:
--- → wontfix
Flags: needinfo?(sotaro.ikeda.g)
|
||
Updated•7 years ago
|
Group: gfx-core-security → core-security-release
|
|
Assignee | |
Comment 15•7 years ago
|
||
Comment on attachment 8852748 [details] [diff] [review] patch - Fix BasicPlanarYCbCrImage::CopyData() Approval Request Comment [Feature/Bug causing the regression]:None. Exist on all supported branches. The problem is not serious since Bug 701259. [User impact if declined]: Impact is very low, since the bug actually might not hit the problem. If it hit, content process could crash. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: Low riak. [Why is the change risky/not risky?]: It just adds CheckedInt32. [String changes made/needed]: None.
Flags: needinfo?(sotaro.ikeda.g)
Attachment #8852748 -
Flags: approval-mozilla-aurora?
|
||
Comment 16•7 years ago
|
||
Comment on attachment 8852748 [details] [diff] [review] patch - Fix BasicPlanarYCbCrImage::CopyData() Fix a security issue. Aurora54+.
Attachment #8852748 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54-]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•