Closed Bug 743475 (CVE-2012-0473) Opened 8 years ago Closed 8 years ago
GLBuffer::Find Max Ushort Element passes wrong template arguments to Find Max Element In Sub Array
911 bytes, patch
|Details | Diff | Splinter Review|
2.83 KB, text/html
WebGLBuffer::FindMaxUshortElement in content/canvas/src/WebGLContext.h passes GLshort instead of GLushort to FindMaxElementInSubArray, even though only GLubyte or GLushort should be used. I've attached a patch to fix the issue.
Attachment #613142 - Attachment is patch: true
Assignee: nobody → matias.juntunen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla14
Attachment #613142 - Flags: checkin?(jgilbert) → checkin+
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 613142 [details] [diff] [review] Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray [Approval Request Comment] Regression caused by (bug #): we've had this bug ever since we ship WebGL User impact if declined: security risk, will explain once this bug is hidden Testing completed (on m-c, etc.): just landed Risk to taking this patch (and alternatives if risky): trivial fix, no risk String changes made by this patch:
OK, now that this bug is hidden, here's the explanation. WebGL.drawElements validates that all the indices are in range. It does that by computing the max index, and comparing that to the min buffer size. This bug causes the max index computation to be wrong. Basically, indices >= 32768 are ignored by the max element computation. An attacker could exploit this by drawing with indices all in the range 32768--65535. This would allow them to read some illegal video memory, whence the sec-high rating.
If it's landing on beta/Firefox 12 it also needs to land on the ESR branch
Comment on attachment 613142 [details] [diff] [review] Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray [Triage Comment] Approved for Beta 12 and Aurora 13 given the low risk evaluation and sg:high rating. Please land asap.
Attachment #613142 - Flags: approval-mozilla-esr10?
Is there a means to test this fix for verification purposes?
(In reply to Al Billings [:abillings] from comment #9) > Is there a means to test this fix for verification purposes? I'll whip a quick testcase.
Comment on attachment 613142 [details] [diff] [review] Fix the wrong template parameter in call to WebGLBuffer::FindMaxElementInSubArray Please go ahead and land as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #613142 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Verified fixed in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120411 Firefox/14.0a1 and Benoit's nice testcase.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.