Closed Bug 1513201 Opened 10 months ago Closed 9 months ago

AddressSanitizer: heap-buffer-overflow [@ NS_strlen] with READ of size 2

Categories

(Core :: Widget: Win32, defect, critical)

x86_64
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 65+ fixed
firefox64 --- wontfix
firefox65 + fixed
firefox66 + fixed

People

(Reporter: decoder, Assigned: Alex_Gaynor)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main65+][adv-esr60.5+])

Attachments

(2 files)

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 65.0a1-20181210095504-https://hg.mozilla.org/mozilla-central/rev/3386ff76878d83496bb822d09115c77472808b53.

For detailed crash information, see attachment.
Flags: sec-bounty?
From the stack it looks like this is reachable via IPC and might be s-s in a sandboxing context.
This looks similar to bug 1451308. :mats, it looks like you were the last person to look at that one, do you agree?
Flags: needinfo?(mats)
Yeah, this looks like it's the same issue.
Status: NEW → RESOLVED
Closed: 10 months ago
Flags: needinfo?(mats)
Resolution: --- → DUPLICATE
Duplicate of bug: 1451308
Reopening, see comment in other bug.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Duplicate of this bug: 1451308
Carrying over the security triage from the original bug.
Keywords: checkin-needed
https://hg.mozilla.org/integration/autoland/rev/47aeeaf1c35b
Assignee: nobody → agaynor
Group: core-security → layout-core-security
Keywords: checkin-needed
Attachment #9030519 - Attachment description: Bug 1513201 - handle pasted data of certain types with an odd length; r?mats → Bug 1451308 - handle pasted data of certain types with an odd length; r?mats
Flags: needinfo?(agaynor)
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/540d3ce3b9e4
Group: layout-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 10 months ago9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Please nominate this for Beta/ESR60 approval when you get a chance.
Flags: needinfo?(agaynor)
Comment on attachment 9030519 [details]
Bug 1451308 - handle pasted data of certain types with an odd length; r?mats

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: None

User impact if declined: Potential IPC security issue and/or full browser crash when you're pasting certain types of content (it seems particularly Chinese content).

Is this code covered by automated tests?: Unknown

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Code change is exceptionally straight forward.

String changes made/needed: 

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate, full browser crash

User impact if declined: Same as beta

Fix Landed on Version: 

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Code change is exceptionally straight forward.

String or UUID changes made by this patch:
Flags: needinfo?(agaynor)
Attachment #9030519 - Flags: approval-mozilla-esr60?
Attachment #9030519 - Flags: approval-mozilla-beta?
Comment on attachment 9030519 [details]
Bug 1451308 - handle pasted data of certain types with an odd length; r?mats

[Triage Comment]
Fixes a security-sensitive crash, approved for 65.0b5. We'll revisit the ESR request later in the cycle.
Attachment #9030519 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Comment on attachment 9030519 [details]
Bug 1451308 - handle pasted data of certain types with an odd length; r?mats

Approved for 60.5.0esr also.
Attachment #9030519 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65+][adv-esr60.5+]
Depends on: 1533554
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.