Buffer overflow in debug code for reflow rules

RESOLVED FIXED in mozilla1.9.3a4

Status

()

Core
Layout: Misc Code
RESOLVED FIXED
9 years ago
2 years ago

People

(Reporter: Daniel Franke, Assigned: dbaron)

Tracking

unspecified
mozilla1.9.3a4
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate], URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3) Gecko/20090403 Shiretoko/3.1b3
Build Identifier: trunk

DR_State::ParseRule() contains a stack-allocated 128-character buffer which DR_State::GetToken() will blindly overrun if a reflow rule file contains a stretch of more than 128 characters without whitespace.

In order for this to be exploited, the victim would have to be persuaded to download a malicious rule file and then run a debug build of Mozilla with an environment variable set to its path.  However, this is not completely unrealistic: an attacker might conceivably dupe a Mozilla developer into doing this while under the guise of seeking help tracking down a layout bug.

Reproducible: Always

Steps to Reproduce:
1. Create a file containing a large string of arbitrary text, with no whitespace.
2. Set the GECKO_DISPLAY_REFLOW_RULES_FILE environment variable to the file's path.
3. Launch a debug build of Firefox.
4. Observe segfault.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:moderate]
(Assignee)

Comment 1

8 years ago
Created attachment 437188 [details] [diff] [review]
patch

Probably easiest to think of pulling the getc() call into the loop body as a separate refactoring step before the rest of the patch.

Changing cX to size_t is to avoid a signed-unsigned comparison warning.
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #437188 - Flags: review?(roc)
Attachment #437188 - Flags: review?(roc) → review+
(Assignee)

Comment 2

8 years ago
http://hg.mozilla.org/mozilla-central/rev/3f7faac350f1
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.