Closed
Bug 1447109
Opened 7 years ago
Closed 7 years ago
TabParent::RecvSetCustomCursor unsafely casts from uint8_t to SurfaceFormat enum
Categories
(Core :: Graphics: Layers, enhancement)
Core
Graphics: Layers
Tracking
()
RESOLVED
DUPLICATE
of bug 1453016
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
(Keywords: sec-audit)
https://searchfox.org/mozilla-central/source/dom/ipc/TabParent.cpp#1765
because there is no bounds check on aFormat, you can end up with a SurfaceFormat that doesn't actually correspond to any of the enum elements. That's technically undefined behavior in C++, but it's uninteresting sort :-)
The interesting case is if there's a switch statement without a default, or using the enum value as an index into an array (assuming that the enum is bounded by it's valid values!). I haven't traced all the places aFormat ends up used so I'm marking this s-s until someone is confident that we don't do anything dangerous with it.
https://hg.mozilla.org/mozilla-central/rev/145c594a51c5 demonstrates using IPDL's functionality + ContiguousEnumSerializer to enforce that it's a valid value automatically to ensure safety.
|
||
Updated•7 years ago
|
Group: core-security → gfx-core-security
|
Reporter | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•4 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•