Closed
Bug 731046
Opened 12 years ago
Closed 8 years ago
[ANGLE] Assertion `typeName' failed // Parser Crash [@ TType::TType]
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
People
(Reporter: dveditz, Assigned: bjacob)
References
()
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos] webgl-angle)
Crash Data
+++ This bug was initially created as a clone of Bug #699033 +++ A potentially exploitable condition triggered by Attachment 571323 [details] was mitigated in bug 699033. A non-exploitable crash remains after that band-aide which will be tracked in this bug.
|
Assignee | |
Comment 1•12 years ago
|
||
A ANGLE developer has found the cause of the crash: http://code.google.com/p/angleproject/issues/detail?id=241#c7 > I located the problem: in glslang.y line 1183 a symbol is being added to a declarator list and the type is inferred from the existing declarator list, but the variables haven't been previously declared so there is no valid type He is referring to: http://code.google.com/p/angleproject/source/browse/trunk/src/compiler/glslang.y?spec=svn998&r=965#1183 Code: init_declarator_list : single_declaration { $$ = $1; <---- this line }
|
|
Assignee | |
Comment 2•12 years ago
|
||
What is blocking me from fixing this now is that I don't know the syntax of Bison parser generator sources. Someone who does know that would probably find this easy to fix.
|
|
Assignee | |
Comment 3•12 years ago
|
||
This is fixed in ANGLE r1002! In addition to upgrading to r1002, we'll have to drop our local patch mitigating this crash.
|
|
Assignee | |
Comment 4•12 years ago
|
||
I will do the angle update on mozilla-central. But it's a relatively intrusive change in a codebase that I don't understand (Bison parser generator syntax). And just before r1002, there is r1001 affecting the same files so we might need it too. So, I'm not very comfortable about putting this on beta. Considering that this 'security' bug is a plain sg:dos, really a plain abort() crash i.e. not a real security bug, I'm tempted to say: let's just fix this on mozilla-central and not backport at all.
|
||
Comment 5•12 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #4) > I will do the angle update on mozilla-central. > [...] > Considering that this 'security' bug is a plain sg:dos, really a plain > abort() crash i.e. not a real security bug, I'm tempted to say: let's just > fix this on mozilla-central and not backport at all. I agree. If there is no risk right now on beta/aurora, and the fix is an angle update, then chances are that we introduce new security vulnerabilities by that. So I would just keep the abort() and do the angle update only on central.
|
Reporter | |
Updated•12 years ago
|
Group: core-security
|
||
Comment 6•12 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #4) > Considering that this 'security' bug is a plain sg:dos, really a plain > abort() crash i.e. not a real security bug, I'm tempted to say: let's just > fix this on mozilla-central and not backport at all. Agreed - let's get this fixed first in FF14.
|
||
Updated•10 years ago
|
Whiteboard: [sg:dos] → [sg:dos] webgl-angle
I still see reports in current builds: * bp-b7c7571c-27d3-4755-8d19-e73772160716 * bp-740bcffa-1c62-4d91-a072-8e5f92160713 * bp-542b1328-fe5b-43b8-8b99-5d3c62160713 However we currently see this reported about once every couple months on average. We never got this fixed like we said we were going doing four years ago so I'm going to just close this bug. Please reopen it if you want to actually fix this.
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox-esr10:
affected → ---
status-firefox10:
wontfix → ---
status-firefox11:
wontfix → ---
status-firefox12:
wontfix → ---
status-firefox13:
affected → ---
tracking-firefox10:
- → ---
tracking-firefox11:
- → ---
tracking-firefox12:
- → ---
Resolution: --- → INCOMPLETE
Version: Trunk → 10 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•