nsImageFromClipboard ::GetEncodedImageStream() (widget\windows\nsImageClipboard.cpp) does not accept as an argument, nor validate, the actual length of the clipboard data. Instead, it (and functions it calls) assume that the data is long enough to allow it to read the image header and as much image data as it needs. Per https://bugzilla.mozilla.org/show_bug.cgi?id=1356636 , this bug can cause reads and writes beyond bounds. See that bug for a POC.

(In reply to q1 from comment #0) > Instead, it (and functions it calls) assume that the data is long enough to allow it to read > the image header and as much image data as it needs. Would that be invalid assumption if the other parts of the code did the checking they were supposed to?

I'm not super familiar with the windows widget clipboard code, I've mostly worked on the DOM side inside of DataTransfer. Jimm may know more about what's going on here.

GetEncodedImageStream is called by nsClipboard::GetNativeDataOffClipboard [1], so we're consuming native clipboard data and we assume the data Windows hands us is valid here. I don't see the risk, AFAICT this attack would require some other hostile app with access to the clipboard, but not the system. [1] http://searchfox.org/mozilla-central/rev/2933592c4a01b634ab53315ce2d0e43fccb82181/widget/windows/nsClipboard.cpp#487

Minusing this for bounty because this isn't a remote exploit and users should be safe here.