nsTreeContentView::RemoveRow could be subject to integer overflow

RESOLVED WONTFIX

Status

()

Core
XUL
RESOLVED WONTFIX
6 years ago
8 months ago

People

(Reporter: jdm, Unassigned)

Tracking

({sec-low})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low])

(Reporter)

Description

6 years ago
This might not be security sensitive, but I think it's a bug that could be exploited in released versions. That said, it's only in XUL, which isn't really available to arbitrary content.

Alex Miller points out that RemoveRow just indexes blindly into an array at http://mxr.mozilla.org/mozilla-central/source/layout/xul/base/src/tree/src/nsTreeContentView.cpp#1334 . If aIndex = 2^31, and the row being removed has a non-zero subtree size, this could wrap around and be dangerous.
(Reporter)

Comment 1

6 years ago
Quick fix would probably be to use CheckedInt here.
Is there a machine alive that could handle that many rows without falling over?

To exploit this (since it's in XUL) you'd have to find a place where content can add things to a tree-view we'd show in chrome. Do we have any of those? Or a popular add-on, I suppose.

Real bug, for sure. Not convinced it's remotely exploitable.
Whiteboard: [sg:low]

Comment 3

5 years ago
Content can't use XUL, so shouldn't we just close this?
I don't think this is worth fixing, what with XUL not exposed to content.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.