Closed Bug 1861254 Opened 2 years ago Closed 2 years ago

Integer underflow in LocaleAtomFromPath()

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox121 --- fixed

People

(Reporter: mccr8, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1861254 - Safely bail out of LocaleAtomFromPath if passed a bad hyphenation-file path. r=#layout
48 bytes, text/x-phabricator-request
Details | Review

I looked over the code reachable from ContentParent::RecvGetHyphDict(), and it looks like LocaleAtomFromPath() has an integer underflow on this line: locale.Truncate(locale.Length() - 4);. If the string sent by the child process is shorter than 4 characters, it'll underflow into a very large value. However, I think underflow is defined for unsigned integers, so this isn't undefined behavior, and Truncate() will just crash if you pass in a value larger than the length of the string. So I'm not sure it is worth doing anything about this, unless the IPC fuzzers stumble across it.

See Also: → 1861255

I cannot see if this was hit in fuzzing because it is a MOZ_RELEASE_ASSERT which we ignore (if we hit one, we reset immediately, so there shouldn't be a big performance penalty associated). However, it might be worthwhile to confirm this isn't happening anywhere in production as it sounds like an easy parent crash and could have stability implications.

Ah, that makes sense. Yeah, a fix here would just bail earlier so it sounds like it wouldn't change anything from a fuzzing perspective.

This code was added in bug 1487212. Jonathan mind taking a look? It should be a simple fix.

Component: Layout: Text and Fonts → Internationalization
Flags: needinfo?(jfkthame)
See Also: → 1487212

This wouldn't ever arise in normal operation; to get a string shorter than 4 chars here, we'd have to have a compromised/broken content process sending the message. (Note also the MOZ_ASSERT just above. But of course that's not present in release builds. So we should add a check-and-bail-out to be on the safe side.)

The IPC fuzzer presumably has (debug) asserts enabled? In that case a too-short string would trigger the earlier MOZ_ASSERT, before reaching the underflow-affected Truncate().

Flags: needinfo?(jfkthame)

(In reply to Jonathan Kew [:jfkthame] from comment #4)

The IPC fuzzer presumably has (debug) asserts enabled? In that case a too-short string would trigger the earlier MOZ_ASSERT, before reaching the underflow-affected Truncate().

No, IPC Fuzzing runs without debug asserts right now (we would violate too many). We only catch diagnostic asserts.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/41529cdc8638 Safely bail out of LocaleAtomFromPath if passed a bad hyphenation-file path. r=layout-reviewers,emilio

https://hg.mozilla.org/mozilla-central/rev/41529cdc8638

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox121: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: