Closed
Bug 371638
Opened 17 years ago
Closed 17 years ago
potential cairo-hull int overflow
Categories
(Core :: Graphics, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: guninski, Assigned: vlad)
References
Details
(Whiteboard: [sg:critical?])
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/cairo/cairo/src/cairo-hull.c&rev=1.3&mark=65#65 65 hull = malloc (num_vertices * sizeof (cairo_hull_t)); is the same construct as Bug 360645 – Firefox 2.0 SVG "_cairo_pen_init" but can't hit it yet.
Reporter | ||
Updated•17 years ago
|
Assignee: general → nobody
Component: General → GFX: Thebes
Product: Mozilla Application Suite → Core
QA Contact: general → thebes
Comment 1•17 years ago
|
||
Are you sure we can't call this? I stopped following when it looked like three separate places could trigger this. 3 callers -> _cairo_path_fixed_stroke_to_traps _cairo_path_fixed_interpret(... _cairo_stroker_curve_to ...) _cairo_pen_add_points _cairo_hull_compute _cairo_hull_init Do these cairo fixes make it into the upstream? Or do we have to worry about them recurring next time we merge new stuff in?
Assignee: nobody → vladimir
Whiteboard: [sg:critical?]
Reporter | ||
Comment 2•17 years ago
|
||
(In reply to comment #1) > Are you sure we can't call this? I stopped following when it looked like three > separate places could trigger this. > > 3 callers -> > _cairo_path_fixed_stroke_to_traps > _cairo_path_fixed_interpret(... _cairo_stroker_curve_to ...) > _cairo_pen_add_points > _cairo_hull_compute > _cairo_hull_init > > Do these cairo fixes make it into the upstream? Or do we have to worry about > them recurring next time we merge new stuff in? > in case the comment was to me: not sure that can't hit it, just pointed out couldn't hit it yesterday evening. and even if can't be hitted at the moment, it is may be hittable by a future caller.
Updated•17 years ago
|
Flags: blocking1.9+
Assignee | ||
Comment 3•17 years ago
|
||
I have a patch that I'm waiting to get into cairo proper that fixes this and all similar issues; it basically adds a number of helper functions for malloc(N*k) and (N*Z*k) etc.
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha6
Reporter | ||
Comment 4•17 years ago
|
||
(In reply to comment #3) > I have a patch that I'm waiting to get into cairo proper that fixes this and > all similar issues; it basically adds a number of helper functions for > malloc(N*k) and (N*Z*k) etc. > isn't malloc(N*k) calloc(N,k) (calloc seems to check for overflow on linux)? DESCRIPTION calloc() allocates memory for an array of nmemb elements of size bytes each and returns a pointer to the allocated memory. The memory is set to zero.
Assignee | ||
Comment 5•17 years ago
|
||
It is, except that it also zeros the memory, which is unnecessary in these cases; there are other bits that wouldn't be covered by calloc (a*b*k and a*k+s) so there'll just be a unified way to do those allocations. Should get the patch into cairo and into moz before a6.
Reporter | ||
Comment 6•17 years ago
|
||
(In reply to comment #5) > It is, except that it also zeros the memory, which is unnecessary in these yes it zeros, agreed
Assignee | ||
Updated•17 years ago
|
Depends on: 383960
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Assignee | ||
Comment 7•17 years ago
|
||
This should be fixed now -- all cairo allocations are overflow-checked.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 8•17 years ago
|
||
Do we need to worry about this on the 1.8 branch?
Comment 10•16 years ago
|
||
no one wants to backport these fixes without knowing this code can be exercised with FF2's limited use of cairo. Not going to block on it for 1.8.1.15 but needs more investigation.
Flags: blocking1.8.1.15? → wanted1.8.1.x+
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•