Closed Bug 1561235 Opened 1 year ago Closed 1 year ago

Crash in [@ GeometrySetFillModeToWinding]


(Core :: Graphics: Text, defect)

69 Branch
Not set



Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 + fixed


(Reporter: jcristau, Assigned: jrmuizel)


(5 keywords, Whiteboard: [post-critsmash-triage])

Crash Data


(1 file)

This bug is for crash report bp-4524205a-8968-4da0-8862-f87930190624.

Top 10 frames of crashing thread:

0 dwrite.dll GeometrySetFillModeToWinding 
1 dwrite.dll RenderOutlines<0> 
2 dwrite.dll ComputeGlyphRunOutline 
3 dwrite.dll DWriteFontFace::GetGlyphRunOutline 
4 xul.dll void mozilla::gfx::ScaledFontDWrite::CopyGlyphsToSink gfx/2d/ScaledFontDWrite.cpp:261
5 xul.dll struct already_AddRefed<mozilla::gfx::Path> mozilla::gfx::ScaledFontDWrite::GetPathForGlyphs gfx/2d/ScaledFontDWrite.cpp:162
6 xul.dll mozilla::gfx::DrawTarget::StrokeGlyphs gfx/2d/DrawTarget.cpp:197
7 xul.dll void GlyphBufferAzure::DrawStroke gfx/thebes/gfxFont.cpp
8 xul.dll void GlyphBufferAzure::FlushGlyphs gfx/thebes/gfxFont.cpp:1684
9 xul.dll gfxFont::Draw gfx/thebes/gfxFont.cpp:2272

UAF crashes on windows starting with the 20190623094201 nightly build.

Possibly from bug 1539702?

Flags: needinfo?(jmuizelaar)

Yeah, bug 1539702 being the cause is believable.

Assignee: nobody → jmuizelaar
Flags: needinfo?(jmuizelaar)

I roughly understand the cause of this.

Bug 1562278 will prevent us from hitting the problem but the problem of a bad cast is still there. I'll fix that here.

The draw target might give us a different type.

Comment on attachment 9075799 [details]
Bug 1561235. Check the type of the PathBuilder instead of the DrawTarget.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not too easily. The easy path was fixed by bug 1562278 which caused by a bug that hasn't ridden to release yet. It might be impossible to construct an exploit without that code path.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All of them
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Not very risky.
  • How likely is this patch to cause regressions; how much testing does it need?: Pretty unlikely. I don't think the code path was ever triggered.
Attachment #9075799 - Flags: sec-approval?

Comment on attachment 9075799 [details]
Bug 1561235. Check the type of the PathBuilder instead of the DrawTarget.

69 is still on m-c. You can just go ahead and land this without sec-approval.

Attachment #9075799 - Flags: sec-approval?
Group: gfx-core-security → core-security-release
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.