1917742 - heap-buffer-overflow in [@ command_list_set_mcid]

Status: VERIFIED FIXED

(Core :: Printing: Output, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing20240907-9e5434b8ef55 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

I've seen this reported as a heap-buffer-overflow and a use-after-free.

==91017==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5150007ac388 at pc 0x785cced39f4c bp 0x7fffbcf0d510 sp 0x7fffbcf0d508
WRITE of size 8 at 0x5150007ac388 thread T0
    #0 0x785cced39f4b in command_list_set_mcid /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:245:19
    #1 0x785cced39f4b in add_child_to_mcid_array /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:473:5
    #2 0x785cced39f4b in _cairo_pdf_interchange_begin_structure_tag /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:1814:6
    #3 0x785cced39f4b in _cairo_pdf_interchange_tag_begin /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:1891:11
    #4 0x785ccee78dd2 in _cairo_surface_tag /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-surface.c:3103:14
    #5 0x785ccee47e94 in _cairo_recording_surface_replay_internal /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-recording-surface.c:2301:15
    #6 0x785ccee49c5c in _cairo_recording_surface_replay_region /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-recording-surface.c:2598:12
    #7 0x785ccee1fd7b in _paint_page /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:484:11
    #8 0x785ccee1f208 in _cairo_paginated_surface_show_page /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:602:14
    #9 0x785ccee78b68 in _moz_cairo_surface_show_page /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-surface.c:2583:40
    #10 0x785ccfc2e4cd in mozilla::gfx::PrintTargetPDF::EndPage() /builds/worker/checkouts/gecko/gfx/thebes/PrintTargetPDF.cpp:92:3
    #11 0x785ccf1abde2 in nsDeviceContext::EndPage() /builds/worker/checkouts/gecko/gfx/src/nsDeviceContext.cpp:370:5
    #12 0x785cd7e6aeaf in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:185:29
    #13 0x785cd7e6aa2c in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:158:17
    #14 0x785cd7e6a738 in mozilla::layout::RemotePrintJobParent::RecvProcessPage(int const&, int const&, nsTArray<unsigned long>&&) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:132:5
    #15 0x785cd73cf6b2 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:387:52
    #16 0x785cd630e5e1 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6391:32
    #17 0x785cce511505 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1785:25
    #18 0x785cce50d73f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1712:9
    #19 0x785cce50e661 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1503:3
    #20 0x785cce50fbb3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1603:14
    #21 0x785cccf6c8ba in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
    #22 0x785cccf58b7e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
    #23 0x785cccf56398 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
    #24 0x785cccf569b6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
    #25 0x785cccf73b91 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
    #26 0x785cccf73b91 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #27 0x785cccf9407f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #28 0x785cccf9edd8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #29 0x785cce5194ae in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #30 0x785cce3fe9c4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #31 0x785cce3fe9c4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #32 0x785cce3fe9c4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #33 0x785cd6e8b6b9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #34 0x785cd7024cea in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #35 0x785cd8a4fe38 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
    #36 0x785cd8c71daa in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5806:22
    #37 0x785cd8c73611 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6031:8
    #38 0x785cd8c74743 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6103:21
    #39 0x5fdfabf10dfc in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:233:22
    #40 0x5fdfabf10dfc in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:470:16
    #41 0x785cece29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #42 0x785cece29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #43 0x5fdfabe38888 in _start (/home/user/workspace/browsers/m-c-20240909092518-fuzzing-asan-opt/firefox+0xd6888) (BuildId: 191004ffaa762376ec38b913f530725b596c404b)

0x5150007ac388 is located 8 bytes after 512-byte region [0x5150007ac180,0x5150007ac380)
allocated by thread T0 here:
    #0 0x5fdfabed163c in realloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:82:3
    #1 0x785ccedc94d1 in _cairo_realloc_ab /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-malloc-private.h:117:12
    #2 0x785ccedc94d1 in _cairo_array_grow_by /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-array.c:115:20
    #3 0x785ccedc94d1 in _cairo_array_allocate /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-array.c:319:14
    #4 0x785cced3c226 in command_list_add /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:137:11
    #5 0x785cced3c226 in _cairo_pdf_interchange_add_content /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:2244:11
    #6 0x785cced534d4 in _cairo_pdf_surface_show_text_glyphs /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:9187:14
    #7 0x785ccedd9d7b in _cairo_analysis_surface_show_glyphs /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-analysis-surface.c:724:6
    #8 0x785ccee72c68 in _cairo_surface_show_text_glyphs /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-surface.c
    #9 0x785cced7fdfd in _cairo_surface_wrapper_show_text_glyphs /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-surface-wrapper.c:502:14
    #10 0x785ccee4803a in _cairo_recording_surface_replay_internal /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-recording-surface.c:2280:15
    #11 0x785ccee49c03 in _cairo_recording_surface_replay_and_create_regions /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-recording-surface.c:2575:12
    #12 0x785ccee1fa18 in _paint_page /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:431:14
    #13 0x785ccee1f208 in _cairo_paginated_surface_show_page /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:602:14
    #14 0x785ccee78b68 in _moz_cairo_surface_show_page /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-surface.c:2583:40
    #15 0x785ccfc2e4cd in mozilla::gfx::PrintTargetPDF::EndPage() /builds/worker/checkouts/gecko/gfx/thebes/PrintTargetPDF.cpp:92:3
    #16 0x785ccf1abde2 in nsDeviceContext::EndPage() /builds/worker/checkouts/gecko/gfx/src/nsDeviceContext.cpp:370:5
    #17 0x785cd7e6aeaf in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:185:29
    #18 0x785cd7e6aa2c in mozilla::layout::RemotePrintJobParent::FinishProcessingPage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface>>*) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:158:17
    #19 0x785cd7e6a738 in mozilla::layout::RemotePrintJobParent::RecvProcessPage(int const&, int const&, nsTArray<unsigned long>&&) /builds/worker/checkouts/gecko/layout/printing/ipc/RemotePrintJobParent.cpp:132:5
    #20 0x785cd73cf6b2 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:387:52
    #21 0x785cd630e5e1 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6391:32
    #22 0x785cce511505 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1785:25
    #23 0x785cce50d73f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1712:9
    #24 0x785cce50e661 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1503:3
    #25 0x785cce50fbb3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1603:14
    #26 0x785cccf6c8ba in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
    #27 0x785cccf58b7e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
    #28 0x785cccf56398 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
    #29 0x785cccf569b6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
    #30 0x785cccf73b91 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
    #31 0x785cccf73b91 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #32 0x785cccf9407f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
    #33 0x785cccf9edd8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/gfx/cairo/cairo/src/cairo-pdf-interchange.c:245:19 in command_list_set_mcid
Shadow bytes around the buggy address:
  0x5150007ac100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5150007ac180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x5150007ac380: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5150007ac400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5150007ac600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Comment 1

[Tyson Smith [:tsmith]]

Attachment: uaf-log.txt

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240910031107-067bb0e74904.
The bug appears to have been introduced in the following build range:

Start: 641e15621e7bd2e0e8a2fab82d2b9838e386c3c4 (20240507162154)
End: 0db7d7f15582ee49153f5aae160d6e67ffb25a93 (20240507131316)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=641e15621e7bd2e0e8a2fab82d2b9838e386c3c4&tochange=0db7d7f15582ee49153f5aae160d6e67ffb25a93

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 3

[Andrew McCreight [:mccr8]]

Sounds bad if printing causes UAFs or buffer overflows in the parent process.

Comment 4

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/Kj4Z0Wjgp9t0LeIkd3VCFg/index.html

Comment 5

[Ryan VanderMeulen [:RyanVM]]

I'm guessing that bug 1729276 was the culprit given the regression range.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

:dholbert, since you are the author of the regressor, bug 1729276, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Yeah, printing requires user interaction (unless you use very specific prefs), not sure if that changes the sec-high rating?

Jonathan is also familiar with this code IIRC.

Comment 8

[Daniel Holbert [:dholbert]]

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #6)

:dholbert, since you are the author of the regressor, bug 1729276

(This regressor was just a pref-flip, FWIW. I could take a look at some point, but jfkthame is more familiar with the cairo internals in this area, so I'm hoping he can take a look.)

Comment 9

[Jonathan Kew [:jfkthame]]

This looks like an internal cairo bug that we'll probably want Adrian to look at. The most helpful thing here may be to try and identify exactly what we're doing with the cairo api to trigger it.

Comment 10

[Jonathan Kew [:jfkthame]]

This seems to be related to the link (generated from <msqrt id="c" href="x"> in the source) being inside a group (probably triggered by the use of offset), but then it ends up trying to use a command id from inside the group with the command list from outside, and it's out of range there. But my grasp of all the cairo_pdf_interchange stuff is pretty minimal.

I'll see if I can reproduce with a standalone example, for easier debugging. Also cc'ing Adrian, as I think we'll need his eyes on this.

Comment 11

[Andrew McCreight [:mccr8]]

I'll move it to sec-moderate, but it still seems on the more bad end of that if this can cause a buffer overflow in the parent process.

Comment 12

[Daniel Holbert [:dholbert]]

(In reply to Jonathan Kew [:jfkthame] from comment #10)

I'll see if I can reproduce with a standalone example, for easier debugging.

--> toggling ni as a reminder -- hoping you and/or Adrian can take this one.

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1729276

Comment 14

[Jonathan Kew [:jfkthame]]

It turns out that the crash here is triggered by DrawTargetCairo::Destination failing to properly escape a lone backslash at the end of the destination string. (A lone backslash earlier in the string would be mishandled, but probably harmless; but at the end of the string, it in effect escapes the closing quote of the name attribute, which makes parse_attributes in cairo_tag_attributes.c fail and return an error status.)

The fix is trivial on the gecko side: we just need to make DrawTargetCairo::Destination escape the string properly, as DrawTargetCairo::Link already does (see also bug 1748077).

I'm inclined to think it's also a bug in the cairo-pdf backend that such an error can result in such an out-of-bounds access, rather than either (a) just dropping the destination tag that has invalid attributes, or (b) setting an error status such that subsequent cairo API calls just bail out safely. Having narrowed down the cause on our side, we may be able to demonstrate this with a simplified testcase and get it addressed upstream.

Comment 15

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1917742 - Share link-target escaping code between DrawTargetCairo::Link and DrawTargetCairo::Destination. r=#gfx-reviewers

Comment 16

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1917742 - Add testcase. r=#gfx-reviewers

Comment 17

[Pulsebot]

Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81e1448e05be
Share link-target escaping code between DrawTargetCairo::Link and DrawTargetCairo::Destination. r=gfx-reviewers,aosmond
https://hg.mozilla.org/integration/autoland/rev/3cfe3a3a5f77
Add testcase. r=gfx-reviewers,aosmond

Comment 18

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/81e1448e05be
https://hg.mozilla.org/mozilla-central/rev/3cfe3a3a5f77

Comment 19

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20241004040820-642e4a52a714.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 20

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:jfkthame, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox132 to wontfix.

For more information, please visit BugBot documentation.

Comment 21

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1917742 - Share link-target escaping code between DrawTargetCairo::Link and DrawTargetCairo::Destination. r=#gfx-reviewers

Original Revision: https://phabricator.services.mozilla.com/D224319

Comment 22

[Phabricator Automation]

beta Uplift Approval Request

• User impact if declined: Out-of-bounds array access leading to crash during print-to-PDF
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing: n/a
• Risk associated with taking this patch: low
• Explanation of risk level: simple correction to string-escaping before calling cairo API
• String changes made/needed: none
• Is Android affected?: yes

Comment 23

[Jonathan Kew [:jfkthame]]

Attachment: Bug 1917742 - Share link-target escaping code between DrawTargetCairo::Link and DrawTargetCairo::Destination. r=#gfx-reviewers

Original Revision: https://phabricator.services.mozilla.com/D224319

Comment 24

[Phabricator Automation]

esr128 Uplift Approval Request

• User impact if declined: Out-of-bounds array access leading to crash during print-to-PDF
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing: n/a
• Risk associated with taking this patch: low
• Explanation of risk level: simple correction to string-escaping before calling cairo API
• String changes made/needed: none
• Is Android affected?: yes

Comment 25

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/b8c9f413f239

Comment 26

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr128/rev/fa6bc54a912e