Robustify blob replay against bad data

RESOLVED FIXED in Firefox 63

Status

()

Product:
Core
Component:
Graphics: WebRender
Type:
enhancement
Importance:
P1
normal
Status:
RESOLVED FIXED
Opened:
Last year
Updated:
11 months ago

People

(Reporter: kats, Assigned: jrmuizel)

Tracking

(Blocks 1 bug)

Version:
Other Branch
Target:
mozilla63
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox63 fixed)

Details

(Whiteboard: [gfx-noted])

Attachments

(1 attachment)

Bug 1473943. Make blob bounds checks safe. r=mstange
46 bytes, text/x-phabricator-request
mstange
: review+
Details | Review 
When I was working on bug 1469528 I noticed that there is little sanity-checking of the blob images in the compositor. We just take the blob and run it through the replay mechanism, and that provides a lot of opportunities for a malicious content process to corrupt rendering, crash the compositor, or even potentially write to arbitrary memory [1], which would be Really Bad.

This needs to be fixed before we ship.

[1] https://searchfox.org/mozilla-central/rev/1193ef6a61cb6e350460eb2e8468184d3cb0321d/gfx/webrender_bindings/Moz2DImageRenderer.cpp#303
Comment on attachment 9003344 [details]
Bug 1473943. Make blob bounds checks safe. r=mstange

Markus Stange [:mstange] has approved the revision.
Attachment #9003344 - Flags: review+
Pushed by jmuizelaar@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/73ffc23ea21b
Make blob bounds checks safe. r=mstange
https://hg.mozilla.org/mozilla-central/rev/73ffc23ea21b
Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Assignee: nobody → jmuizelaar
Depends on: 1486198
You need to log in before you can comment on or make changes to this bug.