140 bytes, text/html
278.62 KB, text/plain
19.84 KB, text/plain
1.49 KB, patch
|Details | Diff | Splinter Review|
when visiting the website: <video width="999999999" height="999999999" controls autoplay> <source src="avideo.ogg" type="video/ogg"> </video><video controls autoplay> firefox crashes in LinearScaleYUVToRGB32Row, an inline assembly function defined in gfx/ycbcr/yuv_row_posix.cpp it looks like firefox is writing xmm1 to rgb_buf width times but width is too big so it writes xmm1 until it reaches unmapped memory and crashes then I tested in firefox 5 on 32-bit linux and firefox 11 on 64-bit linux and it crashes as described above. I also tested in firefox 3.6 and it doesn't crash marking as security because possibly exploitable memory corruption
Reject attempts to scale a BasicPlanarYCbCrImage if width or height are larger than PlanarYCbCrImage::MAX_DIMENSION.
Assignee: nobody → chris
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #574204 - Flags: review?(roc)
Attachment #574204 - Flags: review?(roc) → review+
It seems like this should be rejected at a higher level. mScaleHint is being set to a size computed from an area with width==height==nscoord_MAX, which seems bogus.
What did you have in mind specifically, Matthew?
You're probably right, but defense in depth is fine here.
from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a
(In reply to Ian Melven :imelven from comment #8) > from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a scratch that, wrong bug - https://hg.mozilla.org/mozilla-central/rev/9f27da086fe3 fixes this
Comment on attachment 574204 [details] [diff] [review] Patch v1 Requesting approval on Aurora and Beta because this is a crasher and it is potentially exploitable. I think it would be quite hard to write an actual exploit though.
Comment on attachment 574204 [details] [diff] [review] Patch v1 [triage comment] Approved for beta and aurora. Please land as soon as possible.
The code being patched here doesn't exist on the 1.9.2 branch, I assume this bug is more recent then and doesn't affect older branches?
Testcase does not crash 2011-12-08 Nightly and Aurora, and Firefox 9.0b5
Crash Signature: [@ LinearScaleYUVToRGB32Row ]
Attachment #573399 - Attachment mime type: text/plain → text/html
You need to log in before you can comment on or make changes to this bug.