Closed
Bug 548200
Opened 14 years ago
Closed 14 years ago
potential overflow in nsICanvasRenderingContextWebGL_TexSubImage2D
Categories
(Core :: Graphics: CanvasWebGL, defect)
Core
Graphics: CanvasWebGL
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: bhackett1024, Assigned: vlad)
Details
(Whiteboard: [sg:critical?])
Attachments
(1 file)
694 bytes,
patch
|
joe
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
Hi, nsICanvasRenderingContextWebGL_TexSubImage2D in content/canvas/src/CustomQS_WebGL.h may write out of the bounds of its intargs stack array. Here is the relevant code: BEGIN CODE int32 intargs[8]; // convert the first six args, they must be ints for (jsuint i = 0; i < 6; ++i) { if (!JS_ValueToECMAInt32(cx, argv[i], &intargs[i])) return JS_FALSE; } if (JSVAL_IS_OBJECT(argv[6])) { // try to make this a nsIDOMElement nsIDOMElement *elt; xpc_qsSelfRef eltRef; // these are two optinal args, default to 0 intargs[7] = 0; intargs[8] = 0; END CODE (It also reads from intargs[8] a few lines below this write). Brian
Updated•14 years ago
|
Component: General → Canvas: WebGL
OS: Windows Vista → All
Product: Firefox → Core
QA Contact: general → canvas.webgl
Hardware: x86 → All
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 2•14 years ago
|
||
Argh, silly copy and paste error. Thanks for catching this!
Attachment #431719 -
Flags: review?(joe)
Comment 3•14 years ago
|
||
Comment on attachment 431719 [details] [diff] [review] fix Since this is a security bug, it needs sr too.
Attachment #431719 -
Flags: superreview?(roc)
Attachment #431719 -
Flags: review?(joe)
Attachment #431719 -
Flags: review+
Attachment #431719 -
Flags: superreview?(roc) → superreview+
This is a security bug with reviewed patch -- which branches does it need to get on? Vlad: can you take care of this bug this week? If it's not a bug that affects 3.6, then we can also open the bug at once.
Assignee | ||
Comment 5•14 years ago
|
||
trunk only; http://hg.mozilla.org/mozilla-central/rev/e13c17273ebd
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → final+
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•