Closed
Bug 623791
(CVE-2011-1302)
Opened 14 years ago
Closed 14 years ago
[ANGLE] WebGLES shader assertion failed: (oldhashloc >= 0), function IncreaseHashTableSize
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | Macaw+ |
| status2.0 | --- | .1-fixed |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: posidron, Assigned: bjacob)
References
()
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Attachments
(2 files)
No description provided.
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
|
||
Comment 3•14 years ago
|
||
Can you please file this in the ANGLE issue tracker as well? Thanks
|
|
Reporter | |
Updated•14 years ago
|
|
|
||
Comment 4•14 years ago
|
||
We have fixed this issue in ANGLE revision 605. Mozilla still crashes (under windows), but no longer in ANGLE code, so we expect that the validator must be statically compiled in and needs to be updated to verify this.
|
||
Comment 5•14 years ago
|
||
The upstream bug says A critical parser bug was fixed in r605. When loading the shader from a file, Chrome previously crashed but now properly reports the shader compilation failures. http://code.google.com/p/angleproject/issues/detail?id=117#c2 The patch fixes a buffer overflow http://code.google.com/p/angleproject/source/detail?r=605 This was also fixed in Chrome so we need to get it into Macaw asap
Assignee: nobody → bjacob
Group: core-security
blocking2.0: --- → ?
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Whiteboard: [sg:critical?]
|
|
||
Updated•14 years ago
|
blocking2.0: ? → Macaw+
|
|
||
Comment 6•14 years ago
|
||
Chrome fixed an additional "off by three" overwrite in libGLESv2 http://code.google.com/p/angleproject/source/detail?r=611
|
||
Comment 7•14 years ago
|
||
This will be fixed with the patches in bug 649233.
|
|
||
Comment 8•14 years ago
|
||
This landed on mozilla-central. Going to land these patches on mozilla-2.0 once they are approved in bug 649233.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
|
|
||
Comment 9•14 years ago
|
||
Credit for the additional security fix the Chrome team reported to us (comment 6) should go to "yuri.ko616". It wasn't actually reported as a security issue, just a crash.
|
|
||
Updated•14 years ago
|
Alias: CVE-2011-0068
|
|
||
Comment 10•14 years ago
|
||
The additional fix for yuri.ko616's bug is tracked by Google at http://code.google.com/p/chromium/issues/detail?id=70070 (hidden security bug) Christophe's original bug is tracked by them at http://code.google.com/p/chromium/issues/detail?id=78524 Announced (without detail) on 4/14 at http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
|
||
Comment 11•14 years ago
|
||
Actually, the guy wanted to be credited as "Yuri Ko" I messed up in the Chrome release notes.
|
|
||
Comment 12•14 years ago
|
||
I was pinged for some additional information on why we landed the ANGLE updated the way we did. The Chrome maintainers created a chrome_m10 branch in upstream ANGLE, and cherrypicked the changes they wanted. They branched off ANGLE r551, but the last time we updated was ANGLE r550. So, in order to stay 100% current with the chrome_m10 branch, we applied both r551 and r611, the two changesets that branch had that mozilla-central didn't have.
|
|
||
Updated•14 years ago
|
Group: core-security
|
|
||
Updated•14 years ago
|
Alias: CVE-2011-0068 → CVE-2011-1302
|
|
||
Comment 13•14 years ago
|
||
Updating the CVE number: the Chrome security team already assigned CVE-2011-1302 to Christophe's bug and MITRE has duped -0068 to that one. Yuri's bug was CVE-2011-1300
|
|
||
Comment 14•14 years ago
|
||
I apologize for repeatedly misspelling Christoph's name.
|
|
Reporter | |
Comment 15•14 years ago
|
||
No problem. :)
You need to log in
before you can comment on or make changes to this bug.
Description
•