548200 - potential overflow in nsICanvasRenderingContextWebGL_TexSubImage2D

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect)

Description

[Brian Hackett [Laid off!]]

Hi, nsICanvasRenderingContextWebGL_TexSubImage2D in content/canvas/src/CustomQS_WebGL.h may write out of the bounds of its intargs stack array.  Here is the relevant code:

BEGIN CODE

    int32 intargs[8];

    // convert the first six args, they must be ints                            
    for (jsuint i = 0; i < 6; ++i) {
        if (!JS_ValueToECMAInt32(cx, argv[i], &intargs[i]))
            return JS_FALSE;
    }

    if (JSVAL_IS_OBJECT(argv[6])) {
        // try to make this a nsIDOMElement                                     
        nsIDOMElement *elt;
        xpc_qsSelfRef eltRef;

        // these are two optinal args, default to 0                             
        intargs[7] = 0;
        intargs[8] = 0;

END CODE

(It also reads from intargs[8] a few lines below this write).

Brian

Comment 1

[Joe Drew (not getting mail)]

Vlad, can you look at this?

Comment 2

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Attachment: fix

Argh, silly copy and paste error.  Thanks for catching this!

Comment 3

[Joe Drew (not getting mail)]

Comment on attachment 431719 [details] [diff] [review]
fix

Since this is a security bug, it needs sr too.

Comment 4

[Mike Shaver (:shaver -- probably not reading bugmail closely)]

This is a security bug with reviewed patch -- which branches does it need to get on?

Vlad: can you take care of this bug this week?  If it's not a bug that affects 3.6, then we can also open the bug at once.

Comment 5

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

trunk only; http://hg.mozilla.org/mozilla-central/rev/e13c17273ebd