Closed
Bug 991400
Opened 10 years ago
Closed 10 years ago
SVGEllipseElement.cpp instantiates gfxPath (which is refcounted) on the stack
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla31
Tracking | Status | |
---|---|---|
firefox28 | --- | unaffected |
firefox29 | + | fixed |
firefox30 | + | fixed |
firefox31 | + | fixed |
firefox-esr24 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.4 | --- | fixed |
b2g-v2.0 | --- | fixed |
People
(Reporter: dholbert, Assigned: jwatt)
References
Details
(Keywords: sec-audit, sec-low, Whiteboard: [qa-])
Attachments
(1 file, 1 obsolete file)
1.45 KB,
patch
|
dholbert
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
http://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/SVGEllipseElement.cpp#101 96 SVGEllipseElement::ConstructPath(gfxContext *aCtx) 97 { 98 if (!aCtx->IsCairo()) { 99 RefPtr<Path> path = BuildPath(); 100 if (path) { 101 gfxPath gfxpath(path); 102 aCtx->SetPath(&gfxpath); That "gfxPath" instantiation is bogus and potentially dangerous, depending on what the SetPath() call does with it. See bug 991398 for more.
Reporter | ||
Updated•10 years ago
|
Group: core-security
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
jwatt, do you have cycles to take this?
Flags: needinfo?(jwatt)
OS: Linux → All
Hardware: x86_64 → All
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → jwatt
Flags: needinfo?(jwatt)
Assignee | ||
Comment 3•10 years ago
|
||
Attachment #8400994 -
Attachment is obsolete: true
Attachment #8405629 -
Flags: review?(dholbert)
Assignee | ||
Comment 4•10 years ago
|
||
This was caused by http://hg.mozilla.org/mozilla-central/rev/53ddb97448dc (bug 944704, part 3).
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox31:
--- → affected
tracking-firefox29:
--- → ?
tracking-firefox30:
--- → ?
tracking-firefox31:
--- → ?
Assignee | ||
Updated•10 years ago
|
status-firefox28:
--- → unaffected
Reporter | ||
Comment 5•10 years ago
|
||
Comment on attachment 8405629 [details] [diff] [review] patch Thanks! r=me
Attachment #8405629 -
Flags: review?(dholbert) → review+
Reporter | ||
Comment 6•10 years ago
|
||
Also: from skimming the gfxContext::SetPath() impl... http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxContext.cpp?rev=3c1fc4eed0f5#303 ...it looks like that function doesn't retain any pointers to the passed-in stack-allocated gfxPath, fortunately. In the Moz2D case, it may retain a refcounted pointer to a refcounted *member-var* on the gfxPath, but that should be fine. So fortunately, I don't think this was dangerous. --> Setting sec-low, for "Missing best practice security controls" [from the keyword description page]
Keywords: sec-low
Updated•10 years ago
|
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/31dbf8a76158
Comment 8•10 years ago
|
||
Jonathan, could you fill the uplift request today ? (Monday) Beta 8 is going to build today. Thanks
Flags: needinfo?(jwatt)
Assignee | ||
Comment 9•10 years ago
|
||
Comment on attachment 8405629 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 944704 User impact if declined: sg bug Testing completed (on m-c, etc.): been on m-c a day or so Risk to taking this patch (and alternatives if risky): very, very low risk String or IDL/UUID changes made by this patch: none
Attachment #8405629 -
Flags: approval-mozilla-beta?
Attachment #8405629 -
Flags: approval-mozilla-aurora?
Flags: needinfo?(jwatt)
Updated•10 years ago
|
Attachment #8405629 -
Flags: approval-mozilla-beta?
Attachment #8405629 -
Flags: approval-mozilla-beta+
Attachment #8405629 -
Flags: approval-mozilla-aurora?
Attachment #8405629 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 10•10 years ago
|
||
http://hg.mozilla.org/releases/mozilla-beta/rev/679aa869f39f https://hg.mozilla.org/releases/mozilla-aurora/rev/e5d8af7e112d
Target Milestone: --- → mozilla31
Updated•10 years ago
|
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
Comment 11•10 years ago
|
||
landed on central as https://hg.mozilla.org/mozilla-central/rev/31dbf8a76158
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 12•10 years ago
|
||
Marking [qa-] due to lack of test case. Please feel free to provide one if you'd like verification, thanks.
Whiteboard: [qa-]
Updated•10 years ago
|
status-firefox-esr24:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•