Closed
Bug 1561235
Opened 5 years ago
Closed 5 years ago
Crash in [@ GeometrySetFillModeToWinding]
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
FIXED
mozilla69
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | + | fixed |
People
(Reporter: jcristau, Assigned: jrmuizel)
Details
(5 keywords, Whiteboard: [post-critsmash-triage])
Crash Data
Attachments
(1 file)
This bug is for crash report bp-4524205a-8968-4da0-8862-f87930190624.
Top 10 frames of crashing thread:
0 dwrite.dll GeometrySetFillModeToWinding
1 dwrite.dll RenderOutlines<0>
2 dwrite.dll ComputeGlyphRunOutline
3 dwrite.dll DWriteFontFace::GetGlyphRunOutline
4 xul.dll void mozilla::gfx::ScaledFontDWrite::CopyGlyphsToSink gfx/2d/ScaledFontDWrite.cpp:261
5 xul.dll struct already_AddRefed<mozilla::gfx::Path> mozilla::gfx::ScaledFontDWrite::GetPathForGlyphs gfx/2d/ScaledFontDWrite.cpp:162
6 xul.dll mozilla::gfx::DrawTarget::StrokeGlyphs gfx/2d/DrawTarget.cpp:197
7 xul.dll void GlyphBufferAzure::DrawStroke gfx/thebes/gfxFont.cpp
8 xul.dll void GlyphBufferAzure::FlushGlyphs gfx/thebes/gfxFont.cpp:1684
9 xul.dll gfxFont::Draw gfx/thebes/gfxFont.cpp:2272
UAF crashes on windows starting with the 20190623094201 nightly build.
|
||
Updated•5 years ago
|
|
Reporter | |
Updated•5 years ago
|
status-firefox67:
--- → unaffected
status-firefox68:
--- → unaffected
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
|
Assignee | |
Comment 2•5 years ago
|
||
Yeah, bug 1539702 being the cause is believable.
Assignee: nobody → jmuizelaar
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 3•5 years ago
|
||
I roughly understand the cause of this.
|
|
Assignee | |
Comment 4•5 years ago
|
||
Bug 1562278 will prevent us from hitting the problem but the problem of a bad cast is still there. I'll fix that here.
|
||
Updated•5 years ago
|
tracking-firefox69:
--- → +
|
|
Assignee | |
Comment 5•5 years ago
|
||
The draw target might give us a different type.
|
|
Assignee | |
Comment 6•5 years ago
|
||
Comment on attachment 9075799 [details]
Bug 1561235. Check the type of the PathBuilder instead of the DrawTarget.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not too easily. The easy path was fixed by bug 1562278 which caused by a bug that hasn't ridden to release yet. It might be impossible to construct an exploit without that code path.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All of them
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Not very risky.
- How likely is this patch to cause regressions; how much testing does it need?: Pretty unlikely. I don't think the code path was ever triggered.
Attachment #9075799 -
Flags: sec-approval?
|
|
||
Comment 7•5 years ago
|
||
Comment on attachment 9075799 [details]
Bug 1561235. Check the type of the PathBuilder instead of the DrawTarget.
69 is still on m-c. You can just go ahead and land this without sec-approval.
Attachment #9075799 -
Flags: sec-approval?
|
|
||
Comment 8•5 years ago
|
||
|
||
Comment 9•5 years ago
|
||
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
|
||
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•