Closed
Bug 701259
(CVE-2011-3665)
Opened 13 years ago
Closed 13 years ago
crashes on videos when scaling to large width/height
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
mozilla11
| Tracking | Status | |
|---|---|---|
| firefox8 | --- | affected |
| firefox9 | --- | fixed |
| firefox10 | --- | fixed |
| firefox11 | --- | fixed |
| status1.9.2 | --- | unaffected |
People
(Reporter: sczimmer, Assigned: cpearce)
Details
(Keywords: reporter-external, verified-aurora, verified-beta, Whiteboard: [sg:critical][qa!])
Crash Data
Attachments
(4 files)
|
140 bytes,
text/html
|
Details | |
|
278.62 KB,
text/plain
|
Details | |
|
19.84 KB,
text/plain
|
Details | |
|
1.49 KB,
patch
|
roc
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
when visiting the website:
<video width="999999999" height="999999999" controls autoplay>
<source src="avideo.ogg" type="video/ogg">
</video><video controls autoplay>
firefox crashes in LinearScaleYUVToRGB32Row, an inline assembly function defined in gfx/ycbcr/yuv_row_posix.cpp
it looks like firefox is writing xmm1 to rgb_buf width times but width is too big so it writes xmm1 until it reaches unmapped memory and crashes then
I tested in firefox 5 on 32-bit linux and firefox 11 on 64-bit linux and it crashes as described above. I also tested in firefox 3.6 and it doesn't crash
marking as security because possibly exploitable memory corruption
|
Assignee | |
Comment 3•13 years ago
|
||
Reject attempts to scale a BasicPlanarYCbCrImage if width or height are larger than PlanarYCbCrImage::MAX_DIMENSION.
Assignee: nobody → chris
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #574204 -
Flags: review?(roc)
Attachment #574204 -
Flags: review?(roc) → review+
|
||
Comment 4•13 years ago
|
||
It seems like this should be rejected at a higher level. mScaleHint is being set to a size computed from an area with width==height==nscoord_MAX, which seems bogus.
|
|
Assignee | |
Comment 5•13 years ago
|
||
What did you have in mind specifically, Matthew?
You're probably right, but defense in depth is fine here.
|
|
Assignee | |
Comment 7•13 years ago
|
||
|
||
Comment 8•13 years ago
|
||
from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a
|
|
||
Comment 9•13 years ago
|
||
(In reply to Ian Melven :imelven from comment #8)
> from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a
scratch that, wrong bug - https://hg.mozilla.org/mozilla-central/rev/9f27da086fe3 fixes this
|
|
Assignee | |
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status-firefox10:
--- → affected
status-firefox11:
--- → fixed
status-firefox8:
--- → affected
status-firefox9:
--- → affected
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
|
|
Assignee | |
Comment 10•13 years ago
|
||
Comment on attachment 574204 [details] [diff] [review]
Patch v1
Requesting approval on Aurora and Beta because this is a crasher and it is potentially exploitable. I think it would be quite hard to write an actual exploit though.
Attachment #574204 -
Flags: approval-mozilla-beta?
Attachment #574204 -
Flags: approval-mozilla-aurora?
|
||
Comment 11•13 years ago
|
||
Comment on attachment 574204 [details] [diff] [review]
Patch v1
[triage comment]
Approved for beta and aurora. Please land as soon as possible.
Attachment #574204 -
Flags: approval-mozilla-beta?
Attachment #574204 -
Flags: approval-mozilla-beta+
Attachment #574204 -
Flags: approval-mozilla-aurora?
Attachment #574204 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 12•13 years ago
|
||
|
|
Assignee | |
Comment 13•13 years ago
|
||
|
|
Assignee | |
Comment 14•13 years ago
|
||
|
||
Comment 15•13 years ago
|
||
The code being patched here doesn't exist on the 1.9.2 branch, I assume this bug is more recent then and doesn't affect older branches?
|
||
Comment 16•13 years ago
|
||
Testcase does not crash 2011-12-08 Nightly and Aurora, and Firefox 9.0b5
Status: RESOLVED → VERIFIED
Keywords: verified-aurora,
verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
|
|
||
Updated•13 years ago
|
blocking1.9.2: ? → -
|
|
||
Updated•13 years ago
|
blocking1.9.2: - → ---
|
|
||
Updated•13 years ago
|
Alias: CVE-2011-3665
Crash Signature: [@ LinearScaleYUVToRGB32Row ]
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Updated•12 years ago
|
Attachment #573399 -
Attachment mime type: text/plain → text/html
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•