Closed
Bug 688854
Opened 13 years ago
Closed 13 years ago
Null pointer dereference in nsHTMLCanvasElement::ExtractData
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 681190
People
(Reporter: bsterne, Unassigned)
Details
(Whiteboard: [sg:dos][good first bug])
Fabian Yamaguchi of Recurity Labs on behalf of BSI (German Federal Office for Information Security) reported the following to security@mozilla.org: Component: The bug exists in the HTML 5 Canvas Element. Summary: Displaying a webpage containing a canvaselement without an associated renderingcontext can cause a NULLPointer to be dereferenced when supplying crafted width and heightfields. Overview: The HTML 5 Canvas Element introduced in recent versions of Firefox can be used as a vector to cause the NULLPointer to be dereferenced in both the PNG and JPEGEncoder, which are called via the method nsHTMLCanvasElement::ExtractData. To achieve this, the user sets the width and heightfields of the canvas element but refrains from creating an associated RenderingContext. This causes the member variable mCurrentContext to be NULL. When then, for example, calling the methods mozGetAsFile or toDataURL on the canvas object, the method ExtractData is called, which then attempts to create the gfxImageSurface emptyCanvas since mCurrentContext is NULL. The constructor of gfxImageSurface then detects that this combination of width and height fields would overflow a 32 bit unsigned integer and sets the member variable mData to 0. ExtractData then fails to handle this errorcondition and thus passes a NULLPointer to the image Encoder since emptyCanvas>Data() returns mData, which is 0. Both Encoders do not validate the incoming pointer and thus dereference it when attempting to read from the supplied pointer. Steps to Reproduce: Load the following HTMLDocument: <html> <script> function f() { canvas = document.getElementById('myCanvas'); canvas.width = 32768; canvas.height = 32768; f = canvas.mozGetAsFile("foo.jpg"); } </script> <body onload="f()"></body> <canvas id="myCanvas"></canvas> </html> Actual Results: The application dereferences a NULLpointer and crashes. Expected Results: The application does not crash.
This doesn't crash my nightly build on Windows.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•