Bug 701259 (CVE-2011-3665)

crashes on videos when scaling to large width/height

VERIFIED FIXED in Firefox 9

Status

()

Core
Audio/Video
VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: sczimmer, Assigned: cpearce)

Tracking

({verified-aurora, verified-beta})

unspecified
mozilla11
x86_64
Linux
verified-aurora, verified-beta
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox8 affected, firefox9 fixed, firefox10 fixed, firefox11 fixed, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa!], crash signature)

Attachments

(4 attachments)

(Reporter)

Description

6 years ago
Created attachment 573399 [details]
example website

when visiting the website:
<video width="999999999" height="999999999" controls autoplay>
<source src="avideo.ogg" type="video/ogg">
</video><video controls autoplay>

firefox crashes in LinearScaleYUVToRGB32Row, an inline assembly function defined in gfx/ycbcr/yuv_row_posix.cpp
it looks like firefox is writing xmm1 to rgb_buf width times but width is too big so it writes xmm1 until it reaches unmapped memory and crashes then

I tested in firefox 5 on 32-bit linux and firefox 11 on 64-bit linux and it crashes as described above. I also tested in firefox 3.6 and it doesn't crash

marking as security because possibly exploitable memory corruption
(Reporter)

Comment 1

6 years ago
Created attachment 573400 [details]
video to go with website
(Reporter)

Comment 2

6 years ago
Created attachment 573401 [details]
backtrace for firefox 11 on 64-bit linux
(Assignee)

Comment 3

6 years ago
Created attachment 574204 [details] [diff] [review]
Patch v1

Reject attempts to scale a BasicPlanarYCbCrImage if width or height are larger than PlanarYCbCrImage::MAX_DIMENSION.
Assignee: nobody → chris
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #574204 - Flags: review?(roc)
Attachment #574204 - Flags: review?(roc) → review+
It seems like this should be rejected at a higher level.  mScaleHint is being set to a size computed from an area with width==height==nscoord_MAX, which seems bogus.
(Assignee)

Comment 5

6 years ago
What did you have in mind specifically, Matthew?
You're probably right, but defense in depth is fine here.
(Assignee)

Comment 7

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f27da086fe3

Comment 8

6 years ago
from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a

Comment 9

6 years ago
(In reply to Ian Melven :imelven from comment #8)
> from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a

scratch that, wrong bug - https://hg.mozilla.org/mozilla-central/rev/9f27da086fe3 fixes this
(Assignee)

Updated

6 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
status-firefox10: --- → affected
status-firefox11: --- → fixed
status-firefox8: --- → affected
status-firefox9: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
(Assignee)

Comment 10

6 years ago
Comment on attachment 574204 [details] [diff] [review]
Patch v1

Requesting approval on Aurora and Beta because this is a crasher and it is potentially exploitable. I think it would be quite hard to write an actual exploit though.
Attachment #574204 - Flags: approval-mozilla-beta?
Attachment #574204 - Flags: approval-mozilla-aurora?

Comment 11

6 years ago
Comment on attachment 574204 [details] [diff] [review]
Patch v1

[triage comment]
Approved for beta and aurora. Please land as soon as possible.
Attachment #574204 - Flags: approval-mozilla-beta?
Attachment #574204 - Flags: approval-mozilla-beta+
Attachment #574204 - Flags: approval-mozilla-aurora?
Attachment #574204 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 12

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/62676e1529c2
status-firefox10: affected → fixed
(Assignee)

Comment 13

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/62676e1529c2
(Assignee)

Comment 14

6 years ago
https://hg.mozilla.org/releases/mozilla-beta/rev/05255b6a0f42
status-firefox9: affected → fixed
Whiteboard: [qa+]
The code being patched here doesn't exist on the 1.9.2 branch, I assume this bug is more recent then and doesn't affect older branches?
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Whiteboard: [qa+] → [sg:critical][qa+]
Testcase does not crash 2011-12-08 Nightly and Aurora, and Firefox 9.0b5
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
blocking1.9.2: ? → -
status1.9.2: ? → unaffected
blocking1.9.2: - → ---
Alias: CVE-2011-3665
Crash Signature: [@ LinearScaleYUVToRGB32Row ]
Group: core-security
Attachment #573399 - Attachment mime type: text/plain → text/html
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.