handle potential failures in gfxFont::GetShapedWord more robustly

RESOLVED FIXED in Firefox 14

Status

()

Core
Layout: Text
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jfkthame, Assigned: jfkthame)

Tracking

Trunk
mozilla14
Points:
---

Firefox Tracking Flags

(firefox14 fixed)

Details

(Whiteboard: [sg:dos oom null deref])

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Created attachment 608296 [details] [diff] [review]
patch, check calls that could fail, and bail out if necessary

GetShapedWord makes a few calls that are potentially subject to OOM failures, so we need to be more careful to check the results and bail out if they fail.

We don't want to make these infallible, as that means the browser will crash if over-stressed by huge amounts of text (e.g. exponentially-growing content inserted by a script); it's better to fail "gracefully" by simply not rendering the excessive text.

Marking security-sensitive as a precaution, although in practice I think it'd be pretty hard to come up with an exploit that managed to hit OOM under exactly the right conditions to do something nasty here.
Attachment #608296 - Flags: review?(roc)
Comment on attachment 608296 [details] [diff] [review]
patch, check calls that could fail, and bail out if necessary

Review of attachment 608296 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/thebes/gfxFont.cpp
@@ +2080,5 @@
>  
>      CacheHashEntry *entry = mWordCache.PutEntry(key);
> +    if (!entry) {
> +        NS_WARNING("failed to create word cache entry - expect missing text");
> +        return nsnull;

I believe nsTHashtable is actually infallible now? worth checking
Attachment #608296 - Flags: review?(roc) → review+
It's not.
(Assignee)

Comment 3

5 years ago
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #2)
> It's not.

Right; I checked, actually!

(Bug 734847 proposes to make it infallible by default, but I think we'll want to keep this as fallible anyway and handle OOM safely.)
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1152d14294df
Target Milestone: --- → mozilla14
(Assignee)

Comment 5

5 years ago
This was backed out, along with other patches from the same push, by:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0dfb71a2df9

However, I don't believe this patch was actually the problem there, so I've re-pushed it to inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f53bfab388de

Comment 6

5 years ago
https://hg.mozilla.org/mozilla-central/rev/f53bfab388de

jfkthame, this doesn't have any other tracking flags set at present or sg:foo set in the whiteboard, so not sure if this will be caught by the security team's triage saved search. If you feel this needs backporting or review by them, please add as appropriate :-)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox14: --- → fixed
Resolution: --- → FIXED
Given the patch the bug results in null derefs in each place I checked:
  gfxFont::ShapeWord
  gfxHarfBuzzShaper::ShapeWord
  gfxGraphiteShaper::ShapeWord 
  gfxFcFont::ShapeWord (pango fallback)
  gfxGDIShaper::ShapeWord (assuming ::GetGlyphIndicesW crashes or returns error)
  gfxFT2Font::ShapeWord

I think I missed a couple but they all did much the same thing.
Group: core-security
Whiteboard: [sg:dos oom null deref]
You need to log in before you can comment on or make changes to this bug.