Closed Bug 1505681 Opened 3 years ago Closed 2 years ago
Parent::Recv Set Custom Cursor passes a buffer and size without length checks
TabParent::RecvSetCustomCursor takes aCursorData and size (aWidth, aHeight) over IPC, and doesn't validate the size before calling: gfx::CreateDataSourceSurfaceFromData(size,aFormat, reinterpret_cast<const uint8_t*>(aCursorData.BeginReading()), aStride); Similar to bug 1438425, this will cause the parent process to grab memory following the buffer and attempt to use it for cursor data. Its not as easy an infoleak as 1438425, since reading the cursor data is not as easy as grabbing canvas content. But there is still a risk here associated with passing invalid data.  https://searchfox.org/mozilla-central/rev/6e0e603f4852b8e571e5b8ae133e772b18b6016e/dom/ipc/TabParent.cpp#1763
3 years ago
Component: General → Layout: Images, Video, and HTML Frames
Product: Firefox Build System → Core
Neil, can you please take a look? Thanks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1523362
You need to log in before you can comment on or make changes to this bug.