User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3) Gecko/20090403 Shiretoko/3.1b3 Build Identifier: trunk DR_State::ParseRule() contains a stack-allocated 128-character buffer which DR_State::GetToken() will blindly overrun if a reflow rule file contains a stretch of more than 128 characters without whitespace. In order for this to be exploited, the victim would have to be persuaded to download a malicious rule file and then run a debug build of Mozilla with an environment variable set to its path. However, this is not completely unrealistic: an attacker might conceivably dupe a Mozilla developer into doing this while under the guise of seeking help tracking down a layout bug. Reproducible: Always Steps to Reproduce: 1. Create a file containing a large string of arbitrary text, with no whitespace. 2. Set the GECKO_DISPLAY_REFLOW_RULES_FILE environment variable to the file's path. 3. Launch a debug build of Firefox. 4. Observe segfault.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Created attachment 437188 [details] [diff] [review] patch Probably easiest to think of pulling the getc() call into the loop body as a separate refactoring step before the rest of the patch. Changing cX to size_t is to avoid a signed-unsigned comparison warning.
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #437188 - Flags: review?(roc)
Attachment #437188 - Flags: review?(roc) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.