Closed
Bug 348351
Opened 18 years ago
Closed 18 years ago
integer overflow in nsCanvasRenderingContext2D::SetDimensions
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: vlad)
References
Details
(Keywords: fixed1.8.1, Whiteboard: [sg:critical] fixed by 351296; post ff1.5)
Attachments
(3 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
probably integer overflow via canvas.getContext("2d"));
setting:
c1.setAttribute("width", 33000);//XXX 33333
c1.setAttribute("height",33000);//XXX 33333
where c1 is canvas rendering context causes crash on macosx ppc trunk and
2.0-latest. 1.5.0.6 is safe.
symptoms are of integer overflow, probably in cairo.
XXX values don't cause crash.
2.0 and trunk on linux exit with X windows error.
stack:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x2734de70
0x904244d4 in vecCGSBlendXXXX8888 ()
(gdb) x/i $pc
0x904244d4 <vecCGSBlendXXXX8888+420>: lvx v17,r11,r12
(gdb) p/x $r12
$1 = 0x2734de60
(gdb) bt
#0 0x904244d4 in vecCGSBlendXXXX8888 ()
#1 0x903d55f4 in ARGB32_image ()
#2 0x947240d4 in ripd_Mark ()
#3 0x94726b78 in ripl_BltImage ()
#4 0x947265e4 in ripc_RenderImage ()
#5 0x94724f4c in ripc_DrawImage ()
#6 0x903d1bc8 in CGContextDelegateDrawImage ()
#7 0x903d1b30 in CGContextDrawImage ()
#8 0x0042cf6c in nsCanvasRenderingContext2D::Render (this=0x22edbb50, rc=0x22e6c020) at /Users/joro/inst/firefox/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:984
#9 0x00e9c7d8 in nsHTMLCanvasElement::RenderContexts (this=0x22ef2650, rc=0x22e6c020) at /Users/joro/inst/firefox/mozilla/content/html/content/src/nsHTMLCanvasElement.cpp:525
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x2734de70
0x904244d4 in vecCGSBlendXXXX8888 ()
(gdb) x/i $pc
0x904244d4 <vecCGSBlendXXXX8888+420>: lvx v17,r11,r12
(gdb) p/x $r12
$1 = 0x2734de60
(gdb) bt
#0 0x904244d4 in vecCGSBlendXXXX8888 ()
#1 0x903d55f4 in ARGB32_image ()
#2 0x947240d4 in ripd_Mark ()
#3 0x94726b78 in ripl_BltImage ()
#4 0x947265e4 in ripc_RenderImage ()
#5 0x94724f4c in ripc_DrawImage ()
#6 0x903d1bc8 in CGContextDelegateDrawImage ()
#7 0x903d1b30 in CGContextDrawImage ()
#8 0x0042cf6c in nsCanvasRenderingContext2D::Render (this=0x22edbb50, rc=0x22e6c020) at /Users/joro/inst/firefox/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:984
#9 0x00e9c7d8 in nsHTMLCanvasElement::RenderContexts (this=0x22ef2650, rc=0x22e6c020) at /Users/joro/inst/firefox/mozilla/content/html/content/src/nsHTMLCanvasElement.cpp:525
iProgram received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x2734de70
0x904244d4 in vecCGSBlendXXXX8888 ()
(gdb) x/i $pc
0x904244d4 <vecCGSBlendXXXX8888+420>: lvx v17,r11,r12
(gdb) p/x $r12
$1 = 0x2734de60
(gdb) bt
#0 0x904244d4 in vecCGSBlendXXXX8888 ()
#1 0x903d55f4 in ARGB32_image ()
#2 0x947240d4 in ripd_Mark ()
#3 0x94726b78 in ripl_BltImage ()
#4 0x947265e4 in ripc_RenderImage ()
#5 0x94724f4c in ripc_DrawImage ()
#6 0x903d1bc8 in CGContextDelegateDrawImage ()
#7 0x903d1b30 in CGContextDrawImage ()
#8 0x0042cf6c in nsCanvasRenderingContext2D::Render (this=0x22edbb50, rc=0x22e6c020) at /Users/joro/inst/firefox/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:984
#9 0x00e9c7d8 in nsHTMLCanvasElement::RenderContexts (this=0x22ef2650, rc=0x22e6c020) at /Users/joro/inst/firefox/mozilla/content/html/content/src/nsHTMLCanvasElement.cpp:525
#10 0x00dd8f70 in nsHTMLCanvasFrame::PaintCanvas (this=0x1fc5442c, aRenderingContext=@0x22e6c020, aDirtyRect=@0xbfffa1a8, aPt=@0xbfffa038) at /Users/joro/inst/firefox/mozilla/layout/generic/nsHTMLCanvasFrame.cpp:190
#11 0x00dd9004 in PaintCanvas (aFrame=0x1fc5442c, aCtx=0x22e6c020, aDirtyRect=@0xbfffa1a8, aPt=@0xbfffa098) at /Users/joro/inst/firefox/mozilla/layout/generic/nsHTMLCanvasFrame.cpp:199
#12 0x014210b4 in nsDisplayGeneric::Paint (this=0x1fcab41c, aBuilder=0xbfffa2b4, aCtx=0x22e6c020, aDirtyRect=@0xbfffa1a8) at /Users/joro/inst/firefox/mozilla/layout/generic/../base/nsDisplayList.h:805
#13 0x009411e0 in nsDisplayList::Paint (this=0x1fcab460, aBuilder=0xbfffa2b4, aCtx=0x22e6c020, aDirtyRect=@0xbfffa1a8) at /Users/joro/inst/firefox/mozilla/layout/base/nsDisplayList.cpp:304
#14 0x00942cac in nsDisplayWrapList::Paint (this=0x1fcab454, aBuilder=0xbfffa2b4, aCtx=0x22e6c020, aDirtyRect=@0xbfffa1a8) at /Users/joro/inst/firefox/mozilla/layout/base/nsDisplayList.cpp:670
|
Reporter | |
Comment 1•18 years ago
|
||
|
|
Reporter | |
Updated•18 years ago
|
OS: Linux → Mac OS X 10.4
|
||
Updated•18 years ago
|
Product: Firefox → Core
QA Contact: general → general
|
|
||
Updated•18 years ago
|
Component: General → Layout: Canvas
QA Contact: general → layout.canvas
|
|
Reporter | |
Updated•18 years ago
|
Summary: probably integer overflow via canvas.getContext("2d")); → integer overflow in nsCanvasRenderingContext2D::SetDimensions
|
|
Reporter | |
Comment 2•18 years ago
|
||
so this seems integer overlow:
nsCanvasRenderingContext2D::SetDimensions
if (!mSurface) {
mImageSurfaceData = (PRUint8*) PR_Malloc (mWidth * mHeight * 4);
if (!mImageSurfaceData)
return NS_ERROR_OUT_OF_MEMORY;
limiting mWidth and mHeight above stops the crash with the result of js out of memory on macosx
|
|
Reporter | |
Comment 3•18 years ago
|
||
i suspect this is exploitable on macosx
|
|
Reporter | |
Comment 4•18 years ago
|
||
(In reply to comment #2)
> mImageSurfaceData = (PRUint8*) PR_Malloc (mWidth * mHeight * 4);
so a fix for this bug is either
1. limiting both mWidth and mHeight to 2^15-1
or
2. checking for int overflow
|
|
Reporter | |
Comment 5•18 years ago
|
||
so this may be exploitable on macosx.
2 proposed patches for the int overflow coming - chose one of them.
though the integer overflow is fixed, this uncovered at least null deref in cairo and it may be ever worse - the null stuff is beyond my understanding.
Flags: blocking1.8.1?
|
|
Reporter | |
Comment 6•18 years ago
|
||
|
|
Reporter | |
Comment 7•18 years ago
|
||
|
|
Reporter | |
Comment 8•18 years ago
|
||
patches were tested only on macosx, because on linux firefox exits without hitting the buggy code.
|
||
Comment 9•18 years ago
|
||
This is fixed by bug 351296, right?
Whiteboard: [sg:critical] fixed by 351296?
|
|
Reporter | |
Comment 11•18 years ago
|
||
this seems fixed on macosx
|
Assignee | |
Comment 12•18 years ago
|
||
Fixed by 351296.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.8-
Whiteboard: [sg:critical] fixed by 351296? → [sg:critical] fixed by 351296; post ff1.5
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•