Closed
Bug 351296
Opened 18 years ago
Closed 18 years ago
int overflow in nsCanvasRenderingContext2D::GetImageData
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: vlad)
References
Details
(Keywords: crash, fixed1.8.1, Whiteboard: [sg:critical] post FF1.5)
Attachments
(2 files, 2 obsolete files)
403 bytes,
text/html
|
Details | |
5.11 KB,
patch
|
Biesinger
:
review+
pavlov
:
superreview+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
int overflow in nsCanvasRenderingContext2D::GetImageData there is int overflow in nsCanvasRenderingContext2D::GetImageData --------- if (w <= 0 || h <= 0 || x + w > mWidth || y + h > mHeight) return NS_ERROR_DOM_SYNTAX_ERR; --------- with luser controlled w,h,x,y the above checks are close to useless. later: allocatedSurfaceData = new PRUint8[w * h * 4]; .... nsAutoArrayPtr<jsval> jsvector(new jsval[w * h * 4]); gdb session: Breakpoint 1, nsCanvasRenderingContext2D::GetImageData (this=0x8dab428) at /opt/joro/firefox/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:2846 2846 allocatedSurfaceData = new PRUint8[w * h * 4]; (gdb) p w $1 = 536870915 (gdb) p h $2 = 536870915 (gdb) p w*h*4 $3 = 36 (gdb) p x $4 = -536870914 (gdb) p y $5 = -536870914 (gdb) cont Continuing. [Thread -1303647312 (LWP 15247) exited] Program received signal SIGSEGV, Segmentation fault. 0xb7edb833 in pixman_fill_rect_32bpp (dst=0x8da8c78, xDst=0, yDst=0, width=3, height=1, pixel=0xbfa6a154) at /opt/joro/firefox/mozilla/gfx/cairo/libpixman/src/icrect.c:143 143 *(uint32_t *)data = int_pixel; Current language: auto; currently c (gdb) x/4x data 0x88da8c34: Cannot access memory at address 0x88da8c34
Reporter | ||
Updated•18 years ago
|
Product: Firefox → Core
Reporter | ||
Updated•18 years ago
|
Component: Security → Layout: Canvas
Reporter | ||
Comment 1•18 years ago
|
||
Assignee | ||
Comment 2•18 years ago
|
||
Nominating for 1.8; I'll have a safe patch for this tonight.
Flags: blocking1.8.1?
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Assignee | ||
Comment 3•18 years ago
|
||
Fix the overflows. We start by validating mWidth/mHeight (dimensions of the canvas itself), which also fixes bug 348351, and then we make sure that any passed-in x/y/w/h are >= 0, and that (x+w) and (y+h) are <= mWidth/mHeight.
Assignee | ||
Comment 4•18 years ago
|
||
This fixes 351295 as well.
Comment 5•18 years ago
|
||
Comment on attachment 237529 [details] [diff] [review] fix image-related overflows in canvas + if (x + w > mWidth || y + h > mHeight) what if x+w overflows the signed integer, becoming negative?
Assignee | ||
Comment 6•18 years ago
|
||
Ugh, yes; I really should just keep those in unsigned ints instead of signed. New patch inc soon.
Assignee | ||
Comment 7•18 years ago
|
||
How about something like this?
Attachment #237529 -
Attachment is obsolete: true
Attachment #237643 -
Flags: superreview?(pavlov)
Attachment #237643 -
Flags: review?(cbiesinger)
Attachment #237529 -
Flags: review?(pavlov)
Assignee | ||
Comment 8•18 years ago
|
||
Attached the right file this time.
Attachment #237643 -
Attachment is obsolete: true
Attachment #237645 -
Flags: superreview?(pavlov)
Attachment #237645 -
Flags: review?(cbiesinger)
Attachment #237643 -
Flags: superreview?(pavlov)
Attachment #237643 -
Flags: review?(cbiesinger)
Comment 9•18 years ago
|
||
Comment on attachment 237645 [details] [diff] [review] canvas overflow fix (right file this time) +CheckSaneSubrectSize (PRInt32 x, PRInt32 y, PRInt32 w, PRInt32 h, PRInt32 realWidth, PRInt32 realHeight) 80 column lines please also, I'd have made this a member function instead, to avoid having to pass mWidth/mHeight, but this works too
Attachment #237645 -
Flags: review?(cbiesinger) → review+
Updated•18 years ago
|
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical]
Assignee | ||
Comment 11•18 years ago
|
||
Checked in to trunk
Updated•18 years ago
|
Attachment #237645 -
Flags: superreview?(pavlov) → superreview+
Comment 12•18 years ago
|
||
If this code is on 1.8.1 please nom
Assignee | ||
Comment 13•18 years ago
|
||
Comment on attachment 237645 [details] [diff] [review] canvas overflow fix (right file this time) It is, it's already blocking. Wanted to get a nightly out tomorrow to make sure things are fixed, then land on 1.8.1.
Attachment #237645 -
Flags: approval1.8.1?
Comment 14•18 years ago
|
||
Comment on attachment 237645 [details] [diff] [review] canvas overflow fix (right file this time) a=schrep for 18drivers for topcrash fix. Thanks vlad!
Attachment #237645 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 15•18 years ago
|
||
Checked in to 1.8.1 (and trunk)
Assignee | ||
Comment 17•18 years ago
|
||
No, it's fixed, there was some update confusion when I tested with a trunk nightly. Can someone other than me check this bug and the two dependent bugs' testcases here and verify all 3? Should be no crashes, and some errors to error console.
Status: REOPENED → RESOLVED
Closed: 18 years ago → 18 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 18•18 years ago
|
||
(In reply to comment #17) > Can someone other than me check this bug and the two dependent bugs' > testcases here and verify all 3? Should be no crashes, and some errors to > error console. > on linux the bugs about getimagedata and putimagedata don't crash and give the expected errors in the console. setdimensions bug causes exit due to X problem, but it did the same way before. CC bclary to check on more platforms.
Updated•18 years ago
|
Flags: blocking1.8.0.8-
Whiteboard: [sg:critical] → [sg:critical] post FF1.5
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•