Closed Bug 738197 Opened 8 years ago Closed 8 years ago

handle potential failures in gfxFont::GetShapedWord more robustly

Categories

(Core :: Layout: Text and Fonts, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla14
Tracking Status
firefox14 --- fixed

People

(Reporter: jfkthame, Assigned: jfkthame)

Details

(Whiteboard: [sg:dos oom null deref])

Attachments

(1 file)

GetShapedWord makes a few calls that are potentially subject to OOM failures, so we need to be more careful to check the results and bail out if they fail.

We don't want to make these infallible, as that means the browser will crash if over-stressed by huge amounts of text (e.g. exponentially-growing content inserted by a script); it's better to fail "gracefully" by simply not rendering the excessive text.

Marking security-sensitive as a precaution, although in practice I think it'd be pretty hard to come up with an exploit that managed to hit OOM under exactly the right conditions to do something nasty here.
Attachment #608296 - Flags: review?(roc)
Comment on attachment 608296 [details] [diff] [review]
patch, check calls that could fail, and bail out if necessary

Review of attachment 608296 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/thebes/gfxFont.cpp
@@ +2080,5 @@
>  
>      CacheHashEntry *entry = mWordCache.PutEntry(key);
> +    if (!entry) {
> +        NS_WARNING("failed to create word cache entry - expect missing text");
> +        return nsnull;

I believe nsTHashtable is actually infallible now? worth checking
Attachment #608296 - Flags: review?(roc) → review+
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #2)
> It's not.

Right; I checked, actually!

(Bug 734847 proposes to make it infallible by default, but I think we'll want to keep this as fallible anyway and handle OOM safely.)
This was backed out, along with other patches from the same push, by:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0dfb71a2df9

However, I don't believe this patch was actually the problem there, so I've re-pushed it to inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f53bfab388de
https://hg.mozilla.org/mozilla-central/rev/f53bfab388de

jfkthame, this doesn't have any other tracking flags set at present or sg:foo set in the whiteboard, so not sure if this will be caught by the security team's triage saved search. If you feel this needs backporting or review by them, please add as appropriate :-)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Given the patch the bug results in null derefs in each place I checked:
  gfxFont::ShapeWord
  gfxHarfBuzzShaper::ShapeWord
  gfxGraphiteShaper::ShapeWord 
  gfxFcFont::ShapeWord (pango fallback)
  gfxGDIShaper::ShapeWord (assuming ::GetGlyphIndicesW crashes or returns error)
  gfxFT2Font::ShapeWord

I think I missed a couple but they all did much the same thing.
Group: core-security
Whiteboard: [sg:dos oom null deref]
You need to log in before you can comment on or make changes to this bug.