Closed Bug 688854 Opened 13 years ago Closed 13 years ago

Null pointer dereference in nsHTMLCanvasElement::ExtractData

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Version:
6 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 681190

People

(Reporter: bsterne, Unassigned)

Details

(Whiteboard: [sg:dos][good first bug]) 

Fabian Yamaguchi of Recurity Labs on behalf of BSI (German Federal Office for Information Security) reported the following to security@mozilla.org:

Component:
The bug exists in the HTML 5 Canvas Element.

Summary:
Displaying a web­page containing a canvas­element without an associated rendering­context can cause a NULL­Pointer to be dereferenced when supplying crafted width­ and height­fields.

Overview:
The HTML 5 Canvas Element introduced in recent versions of Firefox can be used as a vector to cause the NULL­Pointer to be dereferenced in both the PNG­ and JPEG­Encoder, which are called via the method nsHTMLCanvasElement::ExtractData. To achieve this, the user sets the width­ and height­fields of the canvas element but refrains from creating an associated RenderingContext. This causes the member variable mCurrentContext to be NULL. When then, for example, calling the methods mozGetAsFile or toDataURL on the canvas object, the method ExtractData is called, which then attempts to create the gfxImageSurface emptyCanvas since mCurrentContext is NULL. The constructor of gfxImageSurface then detects that this combination of width and height fields would overflow a 32 bit unsigned integer and sets the member variable mData to 0. ExtractData then fails to handle this error­condition and thus passes a NULL­Pointer to the image Encoder since emptyCanvas­>Data() returns mData, which is 0. Both Encoders do not validate the incoming pointer and thus dereference it when attempting to read from the supplied pointer.

Steps to Reproduce:
Load the following HTML­Document:

<html>
<script>
function f() {
  canvas = document.getElementById('myCanvas');
  canvas.width = 32768;
  canvas.height = 32768;
  f = canvas.mozGetAsFile("foo.jpg");
}
</script>
<body onload="f()"></body>
<canvas id="myCanvas"></canvas>
</html>

Actual Results:
The application dereferences a NULL­pointer and crashes.

Expected Results:
The application does not crash.
This doesn't crash my nightly build on Windows.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.