Closed Bug 939368 Opened 7 years ago Closed 7 years ago

WebGL: crash [@mozilla::gl::GLContext::MakeCurrent]

Categories

(Core :: Canvas: WebGL, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla28
Tracking Status
firefox26 --- disabled
firefox27 --- disabled
firefox28 --- verified
firefox-esr24 --- disabled
b2g18 --- disabled
b2g-v1.1hd --- disabled
b2g-v1.2 --- disabled

People

(Reporter: posidron, Assigned: djg)

Details

(Keywords: crash, sec-other, testcase)

Attachments

(4 files)

Attached file testcase
In the fuzzing run I am seeing this as a stack-buffer-underflow, when executed as a  testcase it results in a null ptr deref. The report for the SBU suggests it is a false positive. The only function which is in both reports the same is a call to "mozilla::WebGLContext::ErrorInvalidValue".

Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/67f5d934127c

and the following preferences:

user_pref("webgl.enable-draft-extensions", true);
user_pref("webgl.enable-prototype-webgl2", true);
Attached file callstack
Attached file callstack
Keywords: sec-other
Add lost context check to WebGLContext::DrawBuffers() to stop NULL
ptr dereference inside ErrorInvalidValue().
Attachment #8335866 - Flags: review?(jgilbert)
Assignee: nobody → dglastonbury
Status: NEW → ASSIGNED
Attachment #8335866 - Flags: review?(jgilbert) → review+
We enabled WEBGL_draw_buffers in bug 936246, which landed in 28. Prior to that, this was only accessible via prototype prefs, so we shouldn't need to uplift anything.
https://hg.mozilla.org/mozilla-central/rev/3b0fc0963fc1
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Per comment 0 and 4, b2g18 and b2g1.1 had this functionality disabled by default unless a specific pref was added. b2g1.2 forked at Fx26 and should be disabled as well
Christoph, can you reproduce this anymore?
Flags: needinfo?(cdiehl)
(In reply to Anthony Hughes, QA Mentor (:ashughes) [unavailable until Jan 2, 2014] from comment #8)
> Christoph, can you reproduce this anymore?

I can not reproduce it anymore with http://hg.mozilla.org/integration/mozilla-inbound/rev/1e13634eceb2
Flags: needinfo?(cdiehl)
Verified fixed based on comment 9. Thanks Christoph.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.