Closed
Bug 368675
Opened 18 years ago
Closed 17 years ago
integer overflows in nsSVGFilterFrame::FilterPaint
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: tor)
Details
(Whiteboard: [sg:critical] post-1.8-branch)
Attachments
(3 files, 1 obsolete file)
415 bytes,
application/xml
|
Details | |
4.71 KB,
patch
|
dveditz
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
4.67 KB,
patch
|
Details | Diff | Splinter Review |
integer overflows in nsSVGFilterFrame::FilterPaint nsSVGFilterFrame::FilterPaint does some computations with |width| |height| |s1| |s2| and |stride| - some of them may overflow. testcase to follow. nsSVGFilterFrame.cpp PRInt32 filterResX = PRInt32(s1 * width + 0.5); PRInt32 filterResY = PRInt32(s2 * height + 0.5); Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1225795008 (LWP 4910)] 0xb5039767 in nsSVGFilterFrame::FilterPaint (this=0x8a76a60, aContext=0xbfe58ccc, aTarget=0x8a76bf0) (gdb) li 397 for (PRUint32 yy=0; yy<filterResY; yy++) 398 for (PRUint32 xx=0; xx<filterResX; xx++) { 399 alphaData[stride*yy + 4*xx] = 0; 400 alphaData[stride*yy + 4*xx + 1] = 0; 401 alphaData[stride*yy + 4*xx + 2] = 0; 402 alphaData[stride*yy + 4*xx + 3] = data[stride*yy + 4*xx + 3]; 403 } (gdb) p filterResX $1 = 33333 (gdb) p filterResY $2 = 33333 (gdb) x/i $eip 0xb5039767 <_ZN16nsSVGFilterFrame11FilterPaintEP16nsSVGRenderStateP16nsISVGChildFrame+2889>: movzbl (%eax),%eax (gdb) p/x $eax $3 = 0xb2323003 (gdb) x/4x $eax 0xb2323003: Cannot access memory at address 0xb2323003 (gdb) p stride $4 = 133332
Reporter | ||
Updated•18 years ago
|
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Version: unspecified → Trunk
Comment 1•18 years ago
|
||
Roc: if not you please find someone to own this bug.
Assignee: nobody → roc
Flags: blocking1.9?
Whiteboard: [sg:critical] post-1.8
Reporter | ||
Comment 3•18 years ago
|
||
according to coverity CID: 1083 from run 176: Description: Dereferencing freed pointer "surface" in call to function "_moz_cairo_image_surface_get_data" in this method may be use after free. the basic codepath is: 378 cairo_surface_destroy(surface); ... 400 PRUint8 *data = cairo_image_surface_get_data(surface);
Attachment #256110 -
Flags: review?(dveditz)
Comment 5•17 years ago
|
||
dan/pav/roc, can you review?
Comment 6•17 years ago
|
||
Comment on attachment 256110 [details] [diff] [review] decrease filter resolution when needed I wonder if 2K is big enough -- my screen at work is 1920x1200, and the driver in my laptop supports higher. But solves the problem: r=dveditz
Attachment #256110 -
Flags: review?(dveditz) → review+
Comment on attachment 256110 [details] [diff] [review] decrease filter resolution when needed Donations of a larger monitor (currently working with 1400x1050 and 1280x1024) cheerfully accepted. Seriously, a number of the filter are fairly slow, so this is in part a denial of service prevention. However it would still be pretty easy for content to request a filter that would take an unreasonable amount of time to compute.
Attachment #256110 -
Flags: superreview?(roc)
Comment 8•17 years ago
|
||
(In reply to comment #3) > according to coverity CID: 1083 from run 176: > Description: Dereferencing freed pointer "surface" in call to function > "_moz_cairo_image_surface_get_data" Run 176 was Jan 16, I guess they don't scan the codebase all that often. That code was removed with revision 1.27 on Jan 22 (and isn't related to the integer overflow in this bug in any case).
Comment on attachment 256110 [details] [diff] [review] decrease filter resolution when needed I would make the limit bigger, say 16384 (which is near the maximum it could be). I can easily imagine people want to render things that are bigger than the screen size. Also, use PRUint32() constructor-style casts instead of those NS_STATIC_CAST casts.
Attachment #256110 -
Flags: superreview?(roc) → superreview+
Reporter | ||
Comment 10•17 years ago
|
||
cloned comment #3 to Bug 372353
Assignee | ||
Comment 11•17 years ago
|
||
Attachment #256110 -
Attachment is obsolete: true
Attachment #258002 -
Flags: superreview?(roc)
Attachment #258002 -
Flags: review?(dveditz)
Attachment #258002 -
Flags: superreview?(roc) → superreview+
Updated•17 years ago
|
Whiteboard: [sg:critical] post-1.8 → [sg:critical] post-1.8-branch
Updated•17 years ago
|
Component: GFX: Thebes → SVG
Updated•17 years ago
|
QA Contact: thebes → ian
Comment 12•17 years ago
|
||
Comment on attachment 258002 [details] [diff] [review] suggested changes plus more memory allocation checking r=dveditz
Attachment #258002 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 13•17 years ago
|
||
Assignee | ||
Comment 14•17 years ago
|
||
Checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•