Closed
Bug 1473943
Opened 4 years ago
Closed 4 years ago
Robustify blob replay against bad data
Categories
(Core :: Graphics: WebRender, enhancement, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox63 | --- | fixed |
People
(Reporter: kats, Assigned: jrmuizel)
References
Details
(Whiteboard: [gfx-noted])
Attachments
(1 file)
When I was working on bug 1469528 I noticed that there is little sanity-checking of the blob images in the compositor. We just take the blob and run it through the replay mechanism, and that provides a lot of opportunities for a malicious content process to corrupt rendering, crash the compositor, or even potentially write to arbitrary memory [1], which would be Really Bad. This needs to be fixed before we ship. [1] https://searchfox.org/mozilla-central/rev/1193ef6a61cb6e350460eb2e8468184d3cb0321d/gfx/webrender_bindings/Moz2DImageRenderer.cpp#303
Assignee | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Comment on attachment 9003344 [details] Bug 1473943. Make blob bounds checks safe. r=mstange Markus Stange [:mstange] has approved the revision.
Attachment #9003344 -
Flags: review+
Pushed by jmuizelaar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73ffc23ea21b Make blob bounds checks safe. r=mstange
Comment 4•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/73ffc23ea21b
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•4 years ago
|
Assignee: nobody → jmuizelaar
You need to log in
before you can comment on or make changes to this bug.
Description
•