Closed Bug 727547 (CVE-2012-0478) Opened 13 years ago Closed 13 years ago

nsIDOMWebGLRenderingContext_Tex{,Sub}Image2D use JSVAL_TO_OBJECT on arbitrary objects

Categories

(Core :: Graphics: CanvasWebGL, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla13
Tracking Status
firefox11 --- wontfix
firefox12 + verified
firefox13 + verified
firefox14 --- verified
firefox-esr10 12+ verified
status1.9.2 --- unaffected

People

(Reporter: Ms2ger, Assigned: Ms2ger)

References

Details

(Keywords: regression, reporter-external, Whiteboard: [sg:critical][qa!][gfx.relnote.13])

Attachments

(2 files)

Attached patch Patch v1Splinter Review
Something like this should do the trick: webglcontext.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 }) I'd test it, but we don't support WebGL on my hardware. Code was added in bug 573705.
Attachment #597496 - Flags: review?(bzbarsky)
Comment on attachment 597496 [details] [diff] [review] Patch v1 r=me, but do post a testcase in this bug so it can be landed at some point?
Attachment #597496 - Flags: review?(bzbarsky) → review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Attached patch TestSplinter Review
Problem definitely affects the ESR (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this bug get? The given testcase is a near-null deref and isn't scary, but could data ever have anything in it that JSVAL_TO_OBJECT() would turn into something dangerous, maybe pointing at a fake object an attacker created? We should probably just fix it rather than waste time figuring that out.
Doing s/data: 7/data: 0xdeadbeef/ gives bp-1e0ff526-91d1-4b8b-b130-e03d72120317, which is somewhat less near-null
Whiteboard: [sg:critical]
(In reply to Daniel Veditz [:dveditz] from comment #4) > Problem definitely affects the ESR > (bp-b58535e5-276a-4867-a477-612372120317), what severity rating should this > bug get? The given testcase is a near-null deref and isn't scary, but could > data ever have anything in it that JSVAL_TO_OBJECT() would turn into > something dangerous, maybe pointing at a fake object an attacker created? > > We should probably just fix it rather than waste time figuring that out. If that's the approach to take here, can someone please nominate the patch for approval-esr10? Would be great to get this landed in the next few days.
Ms2ger, Boris, this bug is still marked as status-firefox12:affected. What's the decision here: are we still trying to land a patch on beta for ff12, or are we wontfixing this for ff12?
Comment on attachment 597496 [details] [diff] [review] Patch v1 I think we should fix this on beta and ESR. [Approval Request Comment] Regression caused by (bug #): 573705 User impact if declined: Allows web content to trigger probably-exploitable crashes. Testing completed (on m-c, etc.): Been on m-c and Aurora for a while Risk to taking this patch (and alternatives if risky): Very very low-risk. String changes made by this patch: None
Attachment #597496 - Flags: approval-mozilla-esr10?
Attachment #597496 - Flags: approval-mozilla-beta?
Comment on attachment 597496 [details] [diff] [review] Patch v1 [triage comment] low risk, lets get these in.
Attachment #597496 - Flags: approval-mozilla-esr10?
Attachment #597496 - Flags: approval-mozilla-esr10+
Attachment #597496 - Flags: approval-mozilla-beta?
Attachment #597496 - Flags: approval-mozilla-beta+
Whiteboard: [sg:critical] → [sg:critical][qa+]
Alias: CVE-2012-0478
Verified it in nightly with testcase (which isn't checked in yet): Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120420 Firefox/14.0a1
Status: RESOLVED → VERIFIED
Verification complete using: <html> <head> <script type="text/javascript"> function initWebGL(canvas) { // Initialize the global variable gl to null. gl = null; try { // Try to grab the standard context. If it fails, fallback to experimental. gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl"); } catch(e) {} // If we don't have a GL context, give up now if (!gl) { alert("Unable to initialize WebGL. Your browser may not support it."); } } function start() { var canvas = document.getElementById("glcanvas"); initWebGL(canvas); // Initialize the GL context // Only continue if WebGL is available and working if (gl) { gl.clearColor(0.0, 0.0, 0.0, 1.0); // Set clear color to black, fully opaque gl.enable(gl.DEPTH_TEST); // Enable depth testing gl.depthFunc(gl.LEQUAL); // Near things obscure far things gl.clear(gl.COLOR_BUFFER_BIT|gl.DEPTH_BUFFER_BIT); // Clear the color as well as the depth buffer. gl.texImage2D(0, 0, 0, 0, 0, { width: 10, height: 10, data: 7 }); } } </script> </head> <body onload="start()"> <canvas id="glcanvas" width="640" height="480"> Your browser doesn't appear to support the HTML5 <code>&lt;canvas&gt;</code> element. </canvas> </body> </html>
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Group: core-security
Whiteboard: [sg:critical][qa!] → [sg:critical][qa!][gfx.relnote.13]
Flags: in-testsuite? → in-testsuite+
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: