Closed Bug 368675 Opened 18 years ago Closed 17 years ago

integer overflows in nsSVGFilterFrame::FilterPaint

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: guninski, Assigned: tor)

Details

(Whiteboard: [sg:critical] post-1.8-branch)

Attachments

(3 files, 1 obsolete file)

dafilter.xml
415 bytes, application/xml
Details
suggested changes plus more memory allocation checking
4.71 KB, patch
dveditz
: review+
roc
: superreview+
Details | Diff | Splinter Review
checkin version - update to tip
4.67 KB, patch
Details | Diff | Splinter Review
Attached file dafilter.xml 
integer overflows in nsSVGFilterFrame::FilterPaint 
nsSVGFilterFrame::FilterPaint does some computations with |width|
|height| |s1| |s2| and |stride| - some of them may overflow.

testcase to follow.

nsSVGFilterFrame.cpp
  
  PRInt32 filterResX = PRInt32(s1 * width + 0.5);
  PRInt32 filterResY = PRInt32(s2 * height + 0.5);

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1225795008 (LWP 4910)]
0xb5039767 in nsSVGFilterFrame::FilterPaint (this=0x8a76a60, 
    aContext=0xbfe58ccc, aTarget=0x8a76bf0)
(gdb) li
397         for (PRUint32 yy=0; yy<filterResY; yy++)
398           for (PRUint32 xx=0; xx<filterResX; xx++) {
399             alphaData[stride*yy + 4*xx]     = 0;
400             alphaData[stride*yy + 4*xx + 1] = 0;
401             alphaData[stride*yy + 4*xx + 2] = 0;
402             alphaData[stride*yy + 4*xx + 3] = data[stride*yy + 4*xx + 3];
403         }
(gdb) p filterResX
$1 = 33333
(gdb) p filterResY
$2 = 33333
(gdb) x/i $eip
0xb5039767 <_ZN16nsSVGFilterFrame11FilterPaintEP16nsSVGRenderStateP16nsISVGChildFrame+2889>:    movzbl (%eax),%eax
(gdb) p/x $eax
$3 = 0xb2323003
(gdb) x/4x $eax
0xb2323003:     Cannot access memory at address 0xb2323003
(gdb) p stride
$4 = 133332
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Version: unspecified → Trunk
Roc: if not you please find someone to own this bug.
Assignee: nobody → roc
Flags: blocking1.9?
Whiteboard: [sg:critical] post-1.8
Sorry, blame says tor.
Assignee: roc → tor
according to coverity CID: 1083 from run 176:
Description: Dereferencing freed pointer "surface" in call to function "_moz_cairo_image_surface_get_data"

in this method may be use after free. the basic codepath is:
378  	  cairo_surface_destroy(surface);
...
400  	    PRUint8 *data = cairo_image_surface_get_data(surface);

        Attachment #256110 -
        Flags: review?(dveditz)

    
    

    
  
dan/pav/roc, can you review?

    
    

    
  
Comment on attachment 256110 [details] [diff] [review]
decrease filter resolution when needed

I wonder if 2K is big enough -- my screen at work is 1920x1200, and the driver in my laptop supports higher. But solves the problem: r=dveditz

        Attachment #256110 -
        Flags: review?(dveditz) → review+

    
    

    
  
Comment on attachment 256110 [details] [diff] [review]
decrease filter resolution when needed

Donations of a larger monitor (currently working with 1400x1050 and 1280x1024) cheerfully accepted.

Seriously, a number of the filter are fairly slow, so this is in part a denial of service prevention.  However it would still be pretty easy for content to request a filter that would take an unreasonable amount of time to compute.

        Attachment #256110 -
        Flags: superreview?(roc)

    
    

    
  
(In reply to comment #3)
> according to coverity CID: 1083 from run 176:
> Description: Dereferencing freed pointer "surface" in call to function
> "_moz_cairo_image_surface_get_data"

Run 176 was Jan 16, I guess they don't scan the codebase all that often. That
code was removed with revision 1.27 on Jan 22 (and isn't related to the integer
overflow in this bug in any case).

    
    

    
  
Comment on attachment 256110 [details] [diff] [review]
decrease filter resolution when needed

I would make the limit bigger, say 16384 (which is near the maximum it could be). I can easily imagine people want to render things that are bigger than the screen size.

Also, use PRUint32() constructor-style casts instead of those NS_STATIC_CAST casts.

        Attachment #256110 -
        Flags: superreview?(roc) → superreview+

    
    

    
  


  

        Attachment #256110 -
        Attachment is obsolete: true

        Attachment #258002 -
        Flags: superreview?(roc)

        Attachment #258002 -
        Flags: review?(dveditz)

        Attachment #258002 -
        Flags: superreview?(roc) → superreview+

    
  
Whiteboard: [sg:critical] post-1.8 → [sg:critical] post-1.8-branch

    
  
Component: GFX: Thebes → SVG
QA Contact: thebes → ian

    
  
Flags: blocking1.9? → blocking1.9+

    
    

    
  
Comment on attachment 258002 [details] [diff] [review]
suggested changes plus more memory allocation checking

r=dveditz

        Attachment #258002 -
        Flags: review?(dveditz) → review+

    
    

    
  


  

    
    

    
  
Checked in.

Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: