Closed Bug 1505681 Opened 3 years ago Closed 2 years ago

TabParent::RecvSetCustomCursor passes a buffer and size without length checks

Categories

(Core :: DOM: Content Processes, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1523362

People

(Reporter: pauljt, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-intoverflow, sec-high)

TabParent::RecvSetCustomCursor[1] takes aCursorData and size (aWidth, aHeight) over IPC, and doesn't validate the size before calling:

gfx::CreateDataSourceSurfaceFromData(size,aFormat, 
   reinterpret_cast<const uint8_t*>(aCursorData.BeginReading()),
   aStride);

Similar to bug 1438425, this will cause the parent process to grab memory following the buffer  and attempt to use it for cursor data. Its not as easy an infoleak as 1438425, since reading the cursor data is not as easy as grabbing canvas content. But there is still a risk here associated with passing invalid data. 



[1] https://searchfox.org/mozilla-central/rev/6e0e603f4852b8e571e5b8ae133e772b18b6016e/dom/ipc/TabParent.cpp#1763
Component: General → Layout: Images, Video, and HTML Frames
Product: Firefox Build System → Core
Neil, can you please take a look? Thanks.
Component: Layout: Images, Video, and HTML Frames → DOM: Content Processes
Flags: needinfo?(enndeakin)

Whoops

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1523362
Flags: needinfo?(enndeakin)
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.