Closed
Bug 738197
Opened 12 years ago
Closed 12 years ago
handle potential failures in gfxFont::GetShapedWord more robustly
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
FIXED
mozilla14
Tracking | Status | |
---|---|---|
firefox14 | --- | fixed |
People
(Reporter: jfkthame, Assigned: jfkthame)
Details
(Whiteboard: [sg:dos oom null deref])
Attachments
(1 file)
2.21 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
GetShapedWord makes a few calls that are potentially subject to OOM failures, so we need to be more careful to check the results and bail out if they fail. We don't want to make these infallible, as that means the browser will crash if over-stressed by huge amounts of text (e.g. exponentially-growing content inserted by a script); it's better to fail "gracefully" by simply not rendering the excessive text. Marking security-sensitive as a precaution, although in practice I think it'd be pretty hard to come up with an exploit that managed to hit OOM under exactly the right conditions to do something nasty here.
Attachment #608296 -
Flags: review?(roc)
Comment on attachment 608296 [details] [diff] [review] patch, check calls that could fail, and bail out if necessary Review of attachment 608296 [details] [diff] [review]: ----------------------------------------------------------------- ::: gfx/thebes/gfxFont.cpp @@ +2080,5 @@ > > CacheHashEntry *entry = mWordCache.PutEntry(key); > + if (!entry) { > + NS_WARNING("failed to create word cache entry - expect missing text"); > + return nsnull; I believe nsTHashtable is actually infallible now? worth checking
Attachment #608296 -
Flags: review?(roc) → review+
It's not.
Assignee | ||
Comment 3•12 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #2) > It's not. Right; I checked, actually! (Bug 734847 proposes to make it infallible by default, but I think we'll want to keep this as fallible anyway and handle OOM safely.)
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1152d14294df
Target Milestone: --- → mozilla14
Assignee | ||
Comment 5•12 years ago
|
||
This was backed out, along with other patches from the same push, by: https://hg.mozilla.org/integration/mozilla-inbound/rev/d0dfb71a2df9 However, I don't believe this patch was actually the problem there, so I've re-pushed it to inbound: https://hg.mozilla.org/integration/mozilla-inbound/rev/f53bfab388de
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f53bfab388de jfkthame, this doesn't have any other tracking flags set at present or sg:foo set in the whiteboard, so not sure if this will be caught by the security team's triage saved search. If you feel this needs backporting or review by them, please add as appropriate :-)
Comment 7•12 years ago
|
||
Given the patch the bug results in null derefs in each place I checked: gfxFont::ShapeWord gfxHarfBuzzShaper::ShapeWord gfxGraphiteShaper::ShapeWord gfxFcFont::ShapeWord (pango fallback) gfxGDIShaper::ShapeWord (assuming ::GetGlyphIndicesW crashes or returns error) gfxFT2Font::ShapeWord I think I missed a couple but they all did much the same thing.
Group: core-security
Whiteboard: [sg:dos oom null deref]
You need to log in
before you can comment on or make changes to this bug.
Description
•