Closed Bug 738197 Opened 8 years ago Closed 8 years ago

handle potential failures in gfxFont::GetShapedWord more robustly


(Core :: Layout: Text and Fonts, defect)

Not set



Tracking Status
firefox14 --- fixed


(Reporter: jfkthame, Assigned: jfkthame)


(Whiteboard: [sg:dos oom null deref])


(1 file)

GetShapedWord makes a few calls that are potentially subject to OOM failures, so we need to be more careful to check the results and bail out if they fail.

We don't want to make these infallible, as that means the browser will crash if over-stressed by huge amounts of text (e.g. exponentially-growing content inserted by a script); it's better to fail "gracefully" by simply not rendering the excessive text.

Marking security-sensitive as a precaution, although in practice I think it'd be pretty hard to come up with an exploit that managed to hit OOM under exactly the right conditions to do something nasty here.
Attachment #608296 - Flags: review?(roc)
Comment on attachment 608296 [details] [diff] [review]
patch, check calls that could fail, and bail out if necessary

Review of attachment 608296 [details] [diff] [review]:

::: gfx/thebes/gfxFont.cpp
@@ +2080,5 @@
>      CacheHashEntry *entry = mWordCache.PutEntry(key);
> +    if (!entry) {
> +        NS_WARNING("failed to create word cache entry - expect missing text");
> +        return nsnull;

I believe nsTHashtable is actually infallible now? worth checking
Attachment #608296 - Flags: review?(roc) → review+
(In reply to Kyle Huey [:khuey] ( from comment #2)
> It's not.

Right; I checked, actually!

(Bug 734847 proposes to make it infallible by default, but I think we'll want to keep this as fallible anyway and handle OOM safely.)
This was backed out, along with other patches from the same push, by:

However, I don't believe this patch was actually the problem there, so I've re-pushed it to inbound:

jfkthame, this doesn't have any other tracking flags set at present or sg:foo set in the whiteboard, so not sure if this will be caught by the security team's triage saved search. If you feel this needs backporting or review by them, please add as appropriate :-)
Closed: 8 years ago
Resolution: --- → FIXED
Given the patch the bug results in null derefs in each place I checked:
  gfxFcFont::ShapeWord (pango fallback)
  gfxGDIShaper::ShapeWord (assuming ::GetGlyphIndicesW crashes or returns error)

I think I missed a couple but they all did much the same thing.
Group: core-security
Whiteboard: [sg:dos oom null deref]
You need to log in before you can comment on or make changes to this bug.