Bug 1523362 - Validate cursor data in TabParent::RecvSetCursor. r=tnikkel a=lizzard
authorEmilio Cobos Álvarez <emilio@crisal.io>
Mon, 28 Jan 2019 21:42:15 +0000
changeset 515688 575fb73398a7f5ba784c492f1c3583fdd1b32e09
parent 515687 8f157b0d3c52b1d8330bfe4db697ad18530cbbaa
child 515689 551c4945683f0fab67725f6268ff78ecb77d7526
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstnikkel, lizzard
bugs1523362
milestone66.0
Bug 1523362 - Validate cursor data in TabParent::RecvSetCursor. r=tnikkel a=lizzard I think the `stride < width * bpp` is the right thing to check for, since I don't know if there's any guarantee of it of the stride being equal, but let me know if I'm wrong. Differential Revision: https://phabricator.services.mozilla.com/D17851
dom/ipc/TabParent.cpp
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -1647,16 +1647,20 @@ mozilla::ipc::IPCResult TabParent::RecvS
   }
 
   if (!mTabSetsCursor) {
     return IPC_OK();
   }
 
   nsCOMPtr<imgIContainer> cursorImage;
   if (aHasCustomCursor) {
+    if (aHeight * aStride != aCursorData.Length() ||
+        aStride < aWidth * gfx::BytesPerPixel(aFormat)) {
+      return IPC_FAIL(this, "Invalid custom cursor data");
+    }
     const gfx::IntSize size(aWidth, aHeight);
     RefPtr<gfx::DataSourceSurface> customCursor =
         gfx::CreateDataSourceSurfaceFromData(
             size, aFormat,
             reinterpret_cast<const uint8_t*>(aCursorData.BeginReading()),
             aStride);
 
     RefPtr<gfxDrawable> drawable = new gfxSurfaceDrawable(customCursor, size);