Closed Bug 701259 (CVE-2011-3665) Opened 13 years ago Closed 13 years ago

crashes on videos when scaling to large width/height

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox8 --- affected
firefox9 --- fixed
firefox10 --- fixed
firefox11 --- fixed
status1.9.2 --- unaffected

People

(Reporter: sczimmer, Assigned: cpearce)

Details

(Keywords: verified-aurora, verified-beta, Whiteboard: [sg:critical][qa!])

Crash Data

Attachments

(4 files)

example website
140 bytes, text/html
Details
video to go with website
278.62 KB, text/plain
Details
backtrace for firefox 11 on 64-bit linux
19.84 KB, text/plain
Details
Patch v1
1.49 KB, patch
roc
: review+
christian
: approval-mozilla-aurora+
christian
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file example website 
when visiting the website:
<video width="999999999" height="999999999" controls autoplay>
<source src="avideo.ogg" type="video/ogg">
</video><video controls autoplay>

firefox crashes in LinearScaleYUVToRGB32Row, an inline assembly function defined in gfx/ycbcr/yuv_row_posix.cpp
it looks like firefox is writing xmm1 to rgb_buf width times but width is too big so it writes xmm1 until it reaches unmapped memory and crashes then

I tested in firefox 5 on 32-bit linux and firefox 11 on 64-bit linux and it crashes as described above. I also tested in firefox 3.6 and it doesn't crash

marking as security because possibly exploitable memory corruption

    
    

    
  


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1Splinter Review
      

    


  
Reject attempts to scale a BasicPlanarYCbCrImage if width or height are larger than PlanarYCbCrImage::MAX_DIMENSION.
Assignee: nobody → chris
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

        Attachment #574204 -
        Flags: review?(roc)

    
    

    
  
It seems like this should be rejected at a higher level.  mScaleHint is being set to a size computed from an area with width==height==nscoord_MAX, which seems bogus.

    
    

    
  
What did you have in mind specifically, Matthew?

    
    

    
  
You're probably right, but defense in depth is fine here.

    
    

    
  
(In reply to Ian Melven :imelven from comment #8)
> from edmorley : https://hg.mozilla.org/mozilla-central/rev/09ad1943c19a

scratch that, wrong bug - https://hg.mozilla.org/mozilla-central/rev/9f27da086fe3 fixes this
Status: ASSIGNED → RESOLVED
Closed: 13 years ago

          status-firefox10:
          --- → affected

          status-firefox11:
          --- → fixed

          status-firefox8:
          --- → affected

          status-firefox9:
          --- → affected
Resolution: --- → FIXED
Target Milestone: --- → mozilla11

    
    

    
  
Comment on attachment 574204 [details] [diff] [review]
Patch v1

Requesting approval on Aurora and Beta because this is a crasher and it is potentially exploitable. I think it would be quite hard to write an actual exploit though.

        Attachment #574204 -
        Flags: approval-mozilla-beta?

        Attachment #574204 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 574204 [details] [diff] [review]
Patch v1

[triage comment]
Approved for beta and aurora. Please land as soon as possible.

        Attachment #574204 -
        Flags: approval-mozilla-beta?

        Attachment #574204 -
        Flags: approval-mozilla-beta+

        Attachment #574204 -
        Flags: approval-mozilla-aurora?

        Attachment #574204 -
        Flags: approval-mozilla-aurora+

    
  
Whiteboard: [qa+]

    
    

    
  
The code being patched here doesn't exist on the 1.9.2 branch, I assume this bug is more recent then and doesn't affect older branches?
blocking1.9.2: --- → ?

          status1.9.2:
          --- → ?
Whiteboard: [qa+] → [sg:critical][qa+]

    
    

    
  
Testcase does not crash 2011-12-08 Nightly and Aurora, and Firefox 9.0b5
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, 
          
            verified-beta
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
blocking1.9.2: ? → -

          status1.9.2:
          ?unaffected
blocking1.9.2: - → ---
Alias: CVE-2011-3665
Crash Signature: [@ LinearScaleYUVToRGB32Row ]
Group: core-security

        Attachment #573399 -
        Attachment mime type: text/plain → text/html

    
    

    
  
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: