Closed Bug 497256 Opened 13 years ago Closed 12 years ago

Buffer overflow in debug code for reflow rules

Categories

(Core :: Layout, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla1.9.3a4

People

(Reporter: dfoxfranke, Assigned: dbaron)

References

()

Details

(Whiteboard: [sg:moderate])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3) Gecko/20090403 Shiretoko/3.1b3
Build Identifier: trunk

DR_State::ParseRule() contains a stack-allocated 128-character buffer which DR_State::GetToken() will blindly overrun if a reflow rule file contains a stretch of more than 128 characters without whitespace.

In order for this to be exploited, the victim would have to be persuaded to download a malicious rule file and then run a debug build of Mozilla with an environment variable set to its path.  However, this is not completely unrealistic: an attacker might conceivably dupe a Mozilla developer into doing this while under the guise of seeking help tracking down a layout bug.

Reproducible: Always

Steps to Reproduce:
1. Create a file containing a large string of arbitrary text, with no whitespace.
2. Set the GECKO_DISPLAY_REFLOW_RULES_FILE environment variable to the file's path.
3. Launch a debug build of Firefox.
4. Observe segfault.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:moderate]
Attached patch patchSplinter Review
Probably easiest to think of pulling the getc() call into the loop body as a separate refactoring step before the rest of the patch.

Changing cX to size_t is to avoid a signed-unsigned comparison warning.
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #437188 - Flags: review?(roc)
http://hg.mozilla.org/mozilla-central/rev/3f7faac350f1
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4
Group: core-security → core-security-release
Group: core-security-release
Product: Core → Core Graveyard
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.