Closed Bug 1563133 Opened 5 years ago Closed 5 years ago

crash in [@ GlyphBufferAzure::OutputGlyph]

Categories

(Core :: Graphics: Text, defect, P1)

Product:
Core
Component:
Graphics: Text
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 69+ fixed
firefox-esr68 69+ verified
firefox68 --- wontfix
firefox69 + verified
firefox70 + verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [fennec68.1][adv-main69+][adv-esr68.1+][adv-esr60.9+])

Attachments

(2 files)

testcase.html
141 bytes, text/html
Details
Bug 1563133 - limit GlyphBuffer capacity. r?jfkthame
47 bytes, text/x-phabricator-request
abillings
: approval-mozilla-beta+
jcristau
: approval-mozilla-release-
RyanVM
: approval-mozilla-esr60+
RyanVM
: approval-mozilla-esr68+
abillings
: sec-approval+
Details | Review
Attached file testcase.html

Reduced with m-c 20190702-109ccdeb9634

This crash has only been seen on Android.

eip = 0xca2318e6   esp = 0xd1af9d20   ebp = 0xd1af9d38   ebx = 0xd0edfdc8
esi = 0x0277a556   edi = 0xd1af9fa8   eax = 0x1d9bbffc   ecx = 0xd1af9e00
edx = 0x8d200000   efl = 0x00210206
OS|Android|0.0.0 Linux 4.4.124+ #1 SMP PREEMPT Wed Jan 30 07:13:09 UTC 2019 i686
CPU|x86|GenuineIntel family 6 model 6 stepping 3|4
GPU|||
Crash|SIGSEGV|0xaabbc000|13
13|0|libxul.so|GlyphBufferAzure::OutputGlyph(unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|1607|0x4
13|1|libxul.so|void gfxFont::DrawOneGlyph<(gfxFont::FontComplexityT)1>(unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, GlyphBufferAzure&, bool*) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|1935|0x19
13|2|libxul.so|bool gfxFont::DrawGlyphs<(gfxFont::FontComplexityT)1, (gfxFont::SpacingT)1>(gfxShapedText const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, GlyphBufferAzure&)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|1821|0x19
13|3|libxul.so|gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, TextRunDrawParams const&, mozilla::gfx::ShapedTextFlags)|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxFont.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|2254|0x14
13|4|libxul.so|gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|408|0x1c
13|5|libxul.so|gfxTextRun::Draw(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, gfxTextRun::DrawParams const&) const|hg:hg.mozilla.org/mozilla-central:gfx/thebes/gfxTextRun.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|640|0x41
13|6|libxul.so|DrawTextRun(gfxTextRun const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, gfxTextRun::Range, nsTextFrame::DrawTextRunParams const&, nsTextFrame*)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|0|0x5
13|7|libxul.so|nsTextFrame::DrawTextRun(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextRunParams const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|6780|0x2b
13|8|libxul.so|nsTextFrame::DrawText(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextParams const&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|7018|0x30
13|9|libxul.so|nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, int, int, nsPoint const&, bool, float)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsTextFrame.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|6708|0x39
13|10|libxul.so|nsDisplayText::RenderToContext(gfxContext*, nsDisplayListBuilder*, bool)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|9503|0x3d
13|11|libxul.so|nsDisplayText::Paint(nsDisplayListBuilder*, gfxContext*)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|9398|0x10
13|12|libxul.so|mozilla::FrameLayerBuilder::PaintItems(std::__ndk1::vector<mozilla::AssignedDisplayItem, std::__ndk1::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|7140|0x19
13|13|libxul.so|mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*)|hg:hg.mozilla.org/mozilla-central:layout/painting/FrameLayerBuilder.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|7300|0x41
13|14|libxul.so|mozilla::layers::ClientMultiTiledLayerBuffer::Update(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::TilePaintFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/MultiTiledContentClient.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|264|0x40
13|15|libxul.so|mozilla::layers::ClientMultiTiledLayerBuffer::PaintThebes(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::TilePaintFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/MultiTiledContentClient.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|118|0x13
13|16|libxul.so|mozilla::layers::ClientTiledPaintedLayer::RenderHighPrecision(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientTiledPaintedLayer.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|370|0x2b
13|17|libxul.so|mozilla::layers::ClientTiledPaintedLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientTiledPaintedLayer.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|592|0x24
13|18|libxul.so|non-virtual thunk to mozilla::layers::ClientTiledPaintedLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientTiledPaintedLayer.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|0|0x21
13|19|libxul.so|<name omitted>|||0x1c
13|20|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:109ccdeb96342a315b86ef0c7ebe76738308673b|53|0xf
13|21|libxul.so|non-virtual thunk to mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:109ccdeb96342a315b86ef0c7ebe76738308673b|0|0x21
13|22|libxul.so|<name omitted>|||0x1c
13|23|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:109ccdeb96342a315b86ef0c7ebe76738308673b|53|0xf
13|24|libxul.so|non-virtual thunk to mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:109ccdeb96342a315b86ef0c7ebe76738308673b|0|0x21
13|25|libxul.so|<name omitted>|||0x1c
13|26|libxul.so|mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:109ccdeb96342a315b86ef0c7ebe76738308673b|53|0xf
13|27|libxul.so|non-virtual thunk to mozilla::layers::ClientContainerLayer::RenderLayer()|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientContainerLayer.h:109ccdeb96342a315b86ef0c7ebe76738308673b|0|0x21
13|28|libxul.so|mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|320|0x8
13|29|libxul.so|mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags)|hg:hg.mozilla.org/mozilla-central:gfx/layers/client/ClientLayerManager.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|383|0x16
13|30|libxul.so|nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int)|hg:hg.mozilla.org/mozilla-central:layout/painting/nsDisplayList.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|3133|0x28
13|31|libxul.so|nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsLayoutUtils.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|4105|0x27
13|32|libxul.so|mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|6149|0x1e
13|33|libxul.so|nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|461|0x2e
13|34|libxul.so|nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|396|0x17
13|35|libxul.so|nsViewManager::ProcessPendingUpdates()|hg:hg.mozilla.org/mozilla-central:view/nsViewManager.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|1019|0x17
13|36|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|2104|0x10
13|37|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|350|0x33
13|38|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|344|0x4c
13|39|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|710|0x41
13|40|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|510|0x3d
13|41|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|1225|0x16
13|42|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|486|0x11
13|43|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|88|0xd
13|44|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:109ccdeb96342a315b86ef0c7ebe76738308673b|315|0x16
13|45|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:109ccdeb96342a315b86ef0c7ebe76738308673b|290|0xb
13|46|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|137|0xe
13|47|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|276|0x18
13|48|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|4639|0x10
13|49|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|4774|0x8
13|50|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|4855|0xf
13|51|libxul.so|GeckoStart|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAndroidStartup.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|47|0xd
13|52|libxul.so|mozilla::BootstrapImpl::GeckoStart(_JNIEnv*, char**, int, mozilla::StaticXREAppData const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|77|0x11
13|53|libmozglue.so|Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun|hg:hg.mozilla.org/mozilla-central:mozglue/android/APKOpen.cpp:109ccdeb96342a315b86ef0c7ebe76738308673b|372|0x2a
13|54|libart.so||||0x634318
Flags: in-testsuite?

Crashing under GlyphBufferAzure::OutputGlyph seems more like Graphics than Layout, so moving to that component.

I guess the extreme scaling that results from

* {
  -webkit-transform: scale(86);
}

(applying recursively to nested elements) is breaking something down at the rendering level.

Component: Layout: Text and Fonts → Graphics: Text

Lee: what kind of crash is this, what operations is that routine doing with this object?

Flags: needinfo?(lsalzman)

(In reply to Jonathan Kew (:jfkthame) from comment #1)

Crashing under GlyphBufferAzure::OutputGlyph seems more like Graphics than Layout, so moving to that component.

I guess the extreme scaling that results from

* {
  -webkit-transform: scale(86);
}

(applying recursively to nested elements) is breaking something down at the rendering level.

Might this somehow be related to the font size="0" in there?

Otherwise, the code looks correct in terms of how AddCapacity/OutputGlyph is called, so I don't immediately understand why this would be crashing on this. The buffer is also allocated infallibly, so failing to allocate the buffer wouldn't cause this either...

Flags: needinfo?(lsalzman)

This is happening because synthetic bold is being used in this circumstance.

There are two problems:

  1. when extraStrikes is calculated, we do nothing to clamp it to verify that it can fit into the int32_t that is used to store it, so the value can end up unreasonably large or even negative if it wraps.
  2. aBuffer.AddCapacity(capacityMult * aCount) is called without verifying capacityMult * aCount actually fits in a uint32_t, which is all we're using to track the buffer's capacity. We'd either need to move to size_ts, in which case we'd probably still just end up OOMing here anyway, and/or need to flush the glyphs more regularly to deal with this without needing absurdly large buffer sizes?
Flags: needinfo?(jfkthame)

Ugh. If extraStrikes is getting overly large, presumably performance would be getting pretty bad even before it overflows, as we're painting huge numbers of copies of each glyph. We probably want to limit that to some more moderate value just for sanity. Maybe at huge sizes we should start using a larger offset than a single device pixel for each copy, and reducing the count.

We should also check whether anything limits how large aCount might be when DrawGlyphs is called, so we know what we might be multiplying by capacityMult. I don't think we want to be attempting to paint anywhere near 2^31 glyphs at once!

Flags: needinfo?(jfkthame)
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Priority: -- → P1

Comment on attachment 9078471 [details]
Bug 1563133 - limit GlyphBuffer capacity. r?jfkthame

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The patch hints that there is a potential boundary issue with the text drawing code, although it does not necessarily state the nature of this or how to aggravate the condition. If one were versed in exploiting the text code, it might be feasible to find some way to exploit the bug on unpatched releases, but we tried not to include any information in the patch that points to the synthetic bolding code being the most direct method of exploitation in this patch.

Such an exploit would have to supply a web font that requires synthetic bold along with a page that used the font with a huge scale (as in the testcase), which would then allow one to overflow the glyph buffer and insert almost any data they wished. So this is probably a combination of csec-intoverflow and csec-bounds?

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all released branches
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Patch should theoretically apply cleanly to 68 ESR and up.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely. Doesn't cause any problems on try, and we have dealt with other boundary cases in separate bugs.

Beta/Release Uplift Approval Request

  • User impact if declined: Exploitable buffer overflow in text drawing code.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Exploitable buffer overflow in text drawing clode.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch:
Attachment #9078471 - Flags: sec-approval?
Attachment #9078471 - Flags: approval-mozilla-release?
Attachment #9078471 - Flags: approval-mozilla-esr68?
Attachment #9078471 - Flags: approval-mozilla-beta?
Attachment #9078471 - Flags: approval-mozilla-release? → approval-mozilla-release-

Do you have a patch for esr60?

Comment on attachment 9078471 [details]
Bug 1563133 - limit GlyphBuffer capacity. r?jfkthame

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Exploitable buffer overflow in text drawing code.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch:
Attachment #9078471 - Flags: approval-mozilla-esr60?

(In reply to Julien Cristau [:jcristau] from comment #8)

Do you have a patch for esr60?

The patch appears to apply cleanly to 60 as well.

Sec-approval+ for trunk and I'm giving beta approval as well.

Attachment #9078471 - Flags: sec-approval?
Attachment #9078471 - Flags: sec-approval+
Attachment #9078471 - Flags: approval-mozilla-beta?
Attachment #9078471 - Flags: approval-mozilla-beta+

https://hg.mozilla.org/mozilla-central/rev/6fa38c5ad525

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Comment on attachment 9078471 [details]
Bug 1563133 - limit GlyphBuffer capacity. r?jfkthame

Approved for 68.1esr and 60.9esr also.

Attachment #9078471 - Flags: approval-mozilla-esr68?
Attachment #9078471 - Flags: approval-mozilla-esr68+
Attachment #9078471 - Flags: approval-mozilla-esr60?
Attachment #9078471 - Flags: approval-mozilla-esr60+

Needs verification from QA on mobile this issue? If yes, can you please help us with the steps. Thanks!

Flags: needinfo?(lsalzman)

(In reply to Sorina Florean [:sflorean] from comment #16)

Needs verification from QA on mobile this issue? If yes, can you please help us with the steps. Thanks!

Just run the attached testcase.

Flags: needinfo?(lsalzman)

Hi!
I tested this, as suggested in Comment 17, on ESR 68.1b3, Beta 69.0b8, Nightly 70.0a1 (2019-07-25) with OnePlus 5T (Android 9) and the browser did not crash. I will mark this issue as verified.

Status: RESOLVED → VERIFIED
status-firefox69: fixedverified
status-firefox70: fixedverified
status-firefox-esr68: fixedverified
Whiteboard: [fennec68.1]
Whiteboard: [fennec68.1] → [fennec68.1][adv-main69+][adv-esr68.1+][adv-esr60.9+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: