Closed
Bug 999697
Opened 10 years ago
Closed 10 years ago
Faulty: Assertion failure: false (should be implemented or not used) in CompositableHost::CreatedIncrementalTexture
Categories
(Core :: Graphics: Layers, defect)
Core
Graphics: Layers
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: bjacob, Assigned: bjacob)
Details
Attachments
(2 files)
11.34 KB,
text/plain
|
Details | |
5.04 KB,
patch
|
nical
:
review+
|
Details | Diff | Splinter Review |
Found while fuzzing.
Assignee | ||
Updated•10 years ago
|
Group: core-security
Keywords: sec-critical
Assignee | ||
Comment 1•10 years ago
|
||
Ouch, this is another "PReinterpretCast" type bug. The parent stack frame is in CompositableParentManager::ReceiveCompositableUpdate, and is doing: bool CompositableParentManager::ReceiveCompositableUpdate(const CompositableOperation& aEdit, EditReplyVector& replyv) { switch (aEdit.type()) { case CompositableOperation::TOpCreatedIncrementalTexture: { MOZ_LAYERS_LOG(("[ParentSide] Created texture")); const OpCreatedIncrementalTexture& op = aEdit.get_OpCreatedIncrementalTexture(); CompositableParent* compositableParent = static_cast<CompositableParent*>(op.compositableParent()); CompositableHost* compositable = compositableParent->GetCompositableHost(); compositable->CreatedIncrementalTexture(compositableParent->GetCompositableManager(), op.textureInfo(), op.bufferRect()); break; } The CreatedIncrementalTexture above is the one crashing with this "unimplemented" assert. From the log: 2:51.30 [Faulty] pickle field {int} of value: 3 changed to: 2 From LayersMessages.h in the objdir: class CompositableOperation MOZ_FINAL { public: enum Type { T__None, TOpUpdatePictureRect = 1, TOpCreatedIncrementalTexture, TOpPaintTextureRegion, So "3 changed to 2" means: TOpPaintTextureRegion changed to TOpCreatedIncrementalTexture. So we are, again, using an enum value from an untrusted IPC message, to decide how to reinterpret an existing object... I'm removing the sec-critical keyword for now because I need some time to actually think about the security implications. Not fully clear to me here yet if the virtual call here is unsafe.
Keywords: sec-critical
Assignee | ||
Comment 2•10 years ago
|
||
OK, this is not actually a PReinterpretCast pattern, and not actually security sensitive. All what's happening here is that we're calling a virtual method that, when not overridden, crashes. Instead, we just need to make this gracefully fail and propagate an error.
Group: core-security
Assignee | ||
Comment 3•10 years ago
|
||
Attachment #8411019 -
Flags: review?(nical.bugzilla)
Updated•10 years ago
|
Attachment #8411019 -
Flags: review?(nical.bugzilla) → review+
Assignee | ||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e3bc878ad761
Assignee: nobody → bjacob
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e3bc878ad761
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•