Closed Bug 1500011 (CVE-2018-18498) Opened 6 years ago Closed 6 years ago

Unsafe use of CheckedInt32 in nsContentUtils::CalculateBufferSizeForImage

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr60 64+ fixed
firefox63 --- wontfix
firefox64 + fixed
firefox65 + fixed

People

(Reporter: r2, Assigned: nika)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main64+][adv-esr60.4+])

Attachments

(1 file)

Bug 1500011 - Use CheckedInt more in CalculateBufferSizeForImage,
46 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr60+
Details | Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:61.0) Gecko/20100101 Firefox/61.0 Steps to reproduce: This is the same issue as bug#1495011. nsresult nsContentUtils::CalculateBufferSizeForImage(const uint32_t& aStride, const IntSize& aImageSize, const SurfaceFormat& aFormat, size_t* aMaxBufferSize, size_t* aUsedBufferSize) { CheckedInt32 requiredBytes = CheckedInt32(aStride) * CheckedInt32(aImageSize.height); if (!requiredBytes.isValid()) { return NS_ERROR_FAILURE; } *aMaxBufferSize = requiredBytes.value(); *aUsedBufferSize = *aMaxBufferSize - aStride + (aImageSize.width * BytesPerPixel(aFormat)); return NS_OK; } https://searchfox.org/mozilla-central/source/dom/base/nsContentUtils.cpp#7863 requiredBytes is checked for an overflow, however a couple of lines later its raw unchecked value is used in arithmetic calculations again. Thus aUsedBufferSize can potentially overflow on x86 systems.
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM
Product: Firefox → Core
Looks like this was introduced in bug 1473161 which was also a sec bug and backported to esr60. Nika, you reviewed, can you take a look or pass this onto someone else who can?
Blocks: 1473161
Flags: needinfo?(nika)
I've changed it to use CheckedInt32 more pervasively - thanks.
Assignee: nobody → nika
Flags: needinfo?(nika)
https://hg.mozilla.org/integration/mozilla-inbound/rev/a3fad30f081a0bcd4aeae913942fc360dbdbf30e https://hg.mozilla.org/mozilla-central/rev/a3fad30f081a
Group: dom-core-security → core-security-release
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
status-firefox65: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
This needs a sec rating (and potentially a retroactive sec approval request depending on severity).
status-firefox63: --- → wontfix
status-firefox64: --- → affected
status-firefox-esr60: --- → affected
tracking-firefox64: --- → +
tracking-firefox65: --- → +
tracking-firefox-esr60: --- → 64+
Flags: needinfo?(nika)
Keywords: regression
Comment on attachment 9018379 [details] Bug 1500011 - Use CheckedInt more in CalculateBufferSizeForImage, [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: None User impact if declined: potential parent process memory error with content process code execution. Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Minor obviously-correct changes to small function String changes made/needed: None [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: Low impact User impact if declined: potential parent process memory error with content process code execution. Fix Landed on Version: Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Minor obviously-correct changes to small function String or UUID changes made by this patch: None
Flags: needinfo?(nika)
Attachment #9018379 - Flags: approval-mozilla-esr60?
Attachment #9018379 - Flags: approval-mozilla-beta?
I think this is sec-low btw.
Comment on attachment 9018379 [details] Bug 1500011 - Use CheckedInt more in CalculateBufferSizeForImage, Fixes a minor sec issue, approved for 64.0b4. We'll revisit the ESR request later in the cycle.
Attachment #9018379 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Comment on attachment 9018379 [details] Bug 1500011 - Use CheckedInt more in CalculateBufferSizeForImage, Seems pretty low-impact, but keeps our code consistent across releases anyway and very low-risk. Approved for 60.4.0esr.
Attachment #9018379 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Flags: sec-bounty?
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+][adv-esr60.4+]
Alias: CVE-2018-18498
Summary: Unsafe use of CheckedInt32 #2 → Unsafe use of CheckedInt32 in nsContentUtils::CalculateBufferSizeForImage
Sadly sec-low bugs do not qualify for the bug bounty program
Flags: sec-bounty? → sec-bounty-
Component: DOM → DOM: Core & HTML
Group: core-security-release
Flags: sec-bounty-hof+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: