Closed Bug 1356638 Opened 7 years ago Closed 5 years ago

Security bug caused by lack of validation of clipboard data length in nsImageFromClipboard ::GetEncodedImageStream()

Categories

(Core :: Widget: Win32, defect, P4)

52 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1501482

People

(Reporter: q1, Unassigned)

References

Details

(Keywords: csectype-bounds, reporter-external, sec-moderate, Whiteboard: tpi:+)

nsImageFromClipboard ::GetEncodedImageStream() (widget\windows\nsImageClipboard.cpp) does not accept as an argument, nor validate, the actual length of the clipboard data. Instead, it (and functions it calls) assume that the data is long enough to allow it to read the image header and as much image data as it needs.

Per https://bugzilla.mozilla.org/show_bug.cgi?id=1356636 , this bug can cause reads and writes beyond bounds. See that bug for a POC.
Blocks: 1353927, 1356636
Group: core-security → dom-core-security
Flags: sec-bounty?
(In reply to q1 from comment #0)
> Instead, it (and functions it calls) assume that the data is long enough to allow it to read
> the image header and as much image data as it needs.

Would that be invalid assumption if the other parts of the code did the checking they were supposed to?
Flags: needinfo?(michael)
I'm not super familiar with the windows widget clipboard code, I've mostly worked on the DOM side inside of DataTransfer. 

Jimm may know more about what's going on here.
Flags: needinfo?(michael) → needinfo?(jmathies)
GetEncodedImageStream is called by nsClipboard::GetNativeDataOffClipboard [1], so we're consuming native clipboard data and we assume the data Windows hands us is valid here.

I don't see the risk, AFAICT this attack would require some other hostile app with access to the clipboard, but not the system.

[1] http://searchfox.org/mozilla-central/rev/2933592c4a01b634ab53315ce2d0e43fccb82181/widget/windows/nsClipboard.cpp#487
Flags: needinfo?(jmathies)
Priority: -- → P4
Whiteboard: tpi:+
Minusing this for bounty because this isn't a remote exploit and users should be safe here.
Flags: sec-bounty? → sec-bounty-
Group: dom-core-security → layout-core-security
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.