Closed
Bug 991400
Opened 10 years ago
Closed 10 years ago
SVGEllipseElement.cpp instantiates gfxPath (which is refcounted) on the stack
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla31
| Tracking | Status | |
|---|---|---|
| firefox28 | --- | unaffected |
| firefox29 | + | fixed |
| firefox30 | + | fixed |
| firefox31 | + | fixed |
| firefox-esr24 | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.4 | --- | fixed |
| b2g-v2.0 | --- | fixed |
People
(Reporter: dholbert, Assigned: jwatt)
References
Details
(Keywords: sec-audit, sec-low, Whiteboard: [qa-])
Attachments
(1 file, 1 obsolete file)
|
1.45 KB,
patch
|
dholbert
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
http://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/SVGEllipseElement.cpp#101 96 SVGEllipseElement::ConstructPath(gfxContext *aCtx) 97 { 98 if (!aCtx->IsCairo()) { 99 RefPtr<Path> path = BuildPath(); 100 if (path) { 101 gfxPath gfxpath(path); 102 aCtx->SetPath(&gfxpath); That "gfxPath" instantiation is bogus and potentially dangerous, depending on what the SetPath() call does with it. See bug 991398 for more.
|
Reporter | |
Updated•10 years ago
|
Group: core-security
|
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
jwatt, do you have cycles to take this?
Flags: needinfo?(jwatt)
OS: Linux → All
Hardware: x86_64 → All
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → jwatt
Flags: needinfo?(jwatt)
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8400994 -
Attachment is obsolete: true
Attachment #8405629 -
Flags: review?(dholbert)
|
|
Assignee | |
Comment 4•10 years ago
|
||
This was caused by http://hg.mozilla.org/mozilla-central/rev/53ddb97448dc (bug 944704, part 3).
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox31:
--- → affected
tracking-firefox29:
--- → ?
tracking-firefox30:
--- → ?
tracking-firefox31:
--- → ?
|
|
Assignee | |
Updated•10 years ago
|
status-firefox28:
--- → unaffected
|
|
Reporter | |
Comment 5•10 years ago
|
||
Comment on attachment 8405629 [details] [diff] [review] patch Thanks! r=me
Attachment #8405629 -
Flags: review?(dholbert) → review+
|
|
Reporter | |
Comment 6•10 years ago
|
||
Also: from skimming the gfxContext::SetPath() impl... http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxContext.cpp?rev=3c1fc4eed0f5#303 ...it looks like that function doesn't retain any pointers to the passed-in stack-allocated gfxPath, fortunately. In the Moz2D case, it may retain a refcounted pointer to a refcounted *member-var* on the gfxPath, but that should be fine. So fortunately, I don't think this was dangerous. --> Setting sec-low, for "Missing best practice security controls" [from the keyword description page]
Keywords: sec-low
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/31dbf8a76158
|
|
||
Comment 8•10 years ago
|
||
Jonathan, could you fill the uplift request today ? (Monday) Beta 8 is going to build today. Thanks
Flags: needinfo?(jwatt)
|
|
Assignee | |
Comment 9•10 years ago
|
||
Comment on attachment 8405629 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 944704 User impact if declined: sg bug Testing completed (on m-c, etc.): been on m-c a day or so Risk to taking this patch (and alternatives if risky): very, very low risk String or IDL/UUID changes made by this patch: none
Attachment #8405629 -
Flags: approval-mozilla-beta?
Attachment #8405629 -
Flags: approval-mozilla-aurora?
Flags: needinfo?(jwatt)
|
|
||
Updated•10 years ago
|
Attachment #8405629 -
Flags: approval-mozilla-beta?
Attachment #8405629 -
Flags: approval-mozilla-beta+
Attachment #8405629 -
Flags: approval-mozilla-aurora?
Attachment #8405629 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 10•10 years ago
|
||
http://hg.mozilla.org/releases/mozilla-beta/rev/679aa869f39f https://hg.mozilla.org/releases/mozilla-aurora/rev/e5d8af7e112d
Target Milestone: --- → mozilla31
|
||
Updated•10 years ago
|
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
|
||
Comment 11•10 years ago
|
||
landed on central as https://hg.mozilla.org/mozilla-central/rev/31dbf8a76158
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Comment 12•10 years ago
|
||
Marking [qa-] due to lack of test case. Please feel free to provide one if you'd like verification, thanks.
Whiteboard: [qa-]
|
||
Updated•10 years ago
|
status-firefox-esr24:
--- → unaffected
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•