Last Comment Bug 743475 - (CVE-2012-0473) WebGLBuffer::FindMaxUshortElement passes wrong template arguments to FindMaxElementInSubArray
(CVE-2012-0473)
: WebGLBuffer::FindMaxUshortElement passes wrong template arguments to FindMaxE...
Status: VERIFIED FIXED
[sg:high][qa!]
:
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla14
Assigned To: Matias Juntunen (:dwarfcrank)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-07 15:00 PDT by Matias Juntunen (:dwarfcrank)
Modified: 2014-06-27 14:36 PDT (History)
12 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified
+
verified
verified
12+
verified


Attachments
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray (911 bytes, patch)
2012-04-07 15:00 PDT, Matias Juntunen (:dwarfcrank)
jgilbert: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
jgilbert: checkin+
Details | Diff | Splinter Review
Testcase (2.83 KB, text/html)
2012-04-10 13:46 PDT, Benoit Jacob [:bjacob] (mostly away)
no flags Details

Description Matias Juntunen (:dwarfcrank) 2012-04-07 15:00:33 PDT
Created attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

WebGLBuffer::FindMaxUshortElement in content/canvas/src/WebGLContext.h passes GLshort instead of GLushort to FindMaxElementInSubArray, even though only GLubyte or GLushort should be used.

I've attached a patch to fix the issue.
Comment 3 Benoit Jacob [:bjacob] (mostly away) 2012-04-10 09:29:13 PDT
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

[Approval Request Comment]
Regression caused by (bug #): we've had this bug ever since we ship WebGL
User impact if declined: security risk, will explain once this bug is hidden
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): trivial fix, no risk
String changes made by this patch:
Comment 4 Benoit Jacob [:bjacob] (mostly away) 2012-04-10 09:46:41 PDT
OK, now that this bug is hidden, here's the explanation.

WebGL.drawElements validates that all the indices are in range. It does that by computing the max index, and comparing that to the min buffer size.

This bug causes the max index computation to be wrong. Basically, indices >= 32768 are ignored by the max element computation.

An attacker could exploit this by drawing with indices all in the range 32768--65535. This would allow them to read some illegal video memory, whence the sec-high rating.
Comment 5 Daniel Veditz [:dveditz] 2012-04-10 09:57:37 PDT
If it's landing on beta/Firefox 12 it also needs to land on the ESR branch
Comment 7 Alex Keybl [:akeybl] 2012-04-10 12:07:11 PDT
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

[Triage Comment]
Approved for Beta 12 and Aurora 13 given the low risk evaluation and sg:high rating. Please land asap.
Comment 9 Al Billings [:abillings] 2012-04-10 13:03:06 PDT
Is there a means to test this fix for verification purposes?
Comment 12 Benoit Jacob [:bjacob] (mostly away) 2012-04-10 13:29:09 PDT
(In reply to Al Billings [:abillings] from comment #9)
> Is there a means to test this fix for verification purposes?

I'll whip a quick testcase.
Comment 13 Benoit Jacob [:bjacob] (mostly away) 2012-04-10 13:46:08 PDT
Created attachment 613747 [details]
Testcase
Comment 14 Lukas Blakk [:lsblakk] use ?needinfo 2012-04-11 16:36:23 PDT
Comment on attachment 613142 [details] [diff] [review]
Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray

Please go ahead and land as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Comment 15 Al Billings [:abillings] 2012-04-11 17:32:31 PDT
Verified fixed in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120411 Firefox/14.0a1 and Benoit's nice testcase.
Comment 16 Benoit Jacob [:bjacob] (mostly away) 2012-04-12 19:15:44 PDT
http://hg.mozilla.org/releases/mozilla-esr10/rev/76d2e9680f28
Comment 17 Raymond Forbes[:rforbes] 2013-07-19 18:34:17 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.