Copy to uninitialized pointer in nsGLPbufferCGL::ThebesSurface

RESOLVED FIXED

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Drew Yao, Assigned: vlad)

Tracking

({crash, testcase})

unspecified
x86
Mac OS X
crash, testcase
Points:
---

Firefox Tracking Flags

(status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:moderate] (critical when WebGL is enabled))

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a1pre) Gecko/20091101 Minefield/3.7a1pre

In content/canvas/src/nsGLPbufferCGL.cpp

"""
gfxASurface*
nsGLPbufferCGL::ThebesSurface()
{
    if (!mThebesSurface) {
        mThebesSurface = new gfxImageSurface(gfxIntSize(mWidth, mHeight), gfxASurface::ImageFormatARGB32);
        if (mThebesSurface->CairoStatus() != 0) {
            fprintf (stderr, "image surface failed\n");
            return nsnull;
        }

        mQuartzSurface = new gfxQuartzImageSurface(mThebesSurface);

        mImageNeedsUpdate = PR_TRUE;
    }

    if (mImageNeedsUpdate) {
        MakeContextCurrent();
        mGLWrap.fReadPixels (0, 0, mWidth, mHeight, LOCAL_GL_BGRA, LOCAL_GL_UNSIGNED_INT_8_8_8_8_REV, mThebesSurface->Data());
"""

If this line
mThebesSurface = new gfxImageSurface(gfxIntSize(mWidth, mHeight), gfxASurface::ImageFormatARGB32);
fails due to gfxASurface::CheckSurfaceSize, the function will return, with mThebesSurface set to some pointer value, but the object not fully initialized.  The next time the function runs, 
the line
mGLWrap.fReadPixels (0, 0, mWidth, mHeight, LOCAL_GL_BGRA, LOCAL_GL_UNSIGNED_INT_8_8_8_8_REV, mThebesSurface->Data());
results in a copy to an uninitialized pointer, leading to memory corruption and potential code execution.


Reproducible: Always

Steps to Reproduce:
Use recent Firefox 3.7 (this doesn't affect 3.5).

Set the MallocScribble environment variable to 1 on Mac OS X and open Minefield
Something like
killall firefox-bin
env MallocScribble=1 open -a Minefield

Set webgl.enabled_for_all_sites = true in about:config
2. Open attached html file

Actual Results:  
It crashes writing to 0xaaaaaaaa indicating it is writing to an uninitialized pointer.
If it's running 64-bit MineFieldDebug the crashlog will look like
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: 0x000000000000000d, 0x0000000000000000
with the 0xd exception code indicating that it was accessing an address which is invalid in the 64-bit ABI (0xaaaaaaaaaaaaaaaa).

Expected Results:  
No crash.
(Reporter)

Comment 1

8 years ago
Created attachment 409774 [details]
Testcase which causes a crash
Ah, mThebesSurface needs to bet set to null if CairoStatus() indicates an error.
Duplicate of this bug: 525990
Status: UNCONFIRMED → NEW
status1.9.1: --- → unaffected
Ever confirmed: true
Keywords: crash, testcase
Whiteboard: [sg:moderate] requires WebGL to be enabled
Component: Canvas: 2D → Canvas: WebGL
Vlad: can we get a patch for that, then?
Assignee: nobody → vladimir
Created attachment 426593 [details] [diff] [review]
patch

Yeah, this was going to get rewritten for layers a while ago but it hasn't happened yet... so here's that crash fix.
Attachment #426593 - Flags: review?
Attachment #426593 - Flags: review? → review?(jmuizelaar)
Attachment #426593 - Flags: review?(jmuizelaar) → review+
http://hg.mozilla.org/mozilla-central/rev/0bb6d228a444
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Although this patch applies on the 1.9.2 branch it can't be enabled by a simple pref (you'd have to build from scratch with canvas3d enabled) so I'm calling the 1.9.2 releases "unaffected".
Group: core-security
status1.9.2: --- → unaffected
Whiteboard: [sg:moderate] requires WebGL to be enabled → [sg:moderate] (critical when WebGL is enabled)
You need to log in before you can comment on or make changes to this bug.