Closed Bug 1505681 Opened 6 years ago Closed 6 years ago

TabParent::RecvSetCustomCursor passes a buffer and size without length checks

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1523362

People

(Reporter: pauljt, Unassigned)

References

Details

(Keywords: csectype-intoverflow, sec-high)

TabParent::RecvSetCustomCursor[1] takes aCursorData and size (aWidth, aHeight) over IPC, and doesn't validate the size before calling: gfx::CreateDataSourceSurfaceFromData(size,aFormat, reinterpret_cast<const uint8_t*>(aCursorData.BeginReading()), aStride); Similar to bug 1438425, this will cause the parent process to grab memory following the buffer and attempt to use it for cursor data. Its not as easy an infoleak as 1438425, since reading the cursor data is not as easy as grabbing canvas content. But there is still a risk here associated with passing invalid data. [1] https://searchfox.org/mozilla-central/rev/6e0e603f4852b8e571e5b8ae133e772b18b6016e/dom/ipc/TabParent.cpp#1763
Component: General → Layout: Images, Video, and HTML Frames
Product: Firefox Build System → Core
Neil, can you please take a look? Thanks.
Component: Layout: Images, Video, and HTML Frames → DOM: Content Processes
Flags: needinfo?(enndeakin)
Keywords: csectype-intoverflow, sec-high

Whoops

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(enndeakin)
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.