New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 160926 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security:Check for integer wrap in PPB_ImageData_Impl::Init() is insufficient

Reported by cdn@chromium.org, Nov 14 2012

Issue description

if (static_cast<int64>(width) * static_cast<int64>(height) * 4 >=
      std::numeric_limits<int32>::max())

can overflow to negative given height and width of 0x7fffffff for example.


 

Comment 1 by cdn@chromium.org, Nov 14 2012

We have a patch just separating into another cl to make merging easy.

Victor feel free to submit the CL for this or I can do it tomorrow.
Project Member

Comment 2 by bugdroid1@chromium.org, Nov 15 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=167882

------------------------------------------------------------------------
r167882 | victorhsieh@chromium.org | 2012-11-15T07:27:55.735990Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/plugins/ppapi/ppb_image_data_impl.cc?r1=167882&r2=167881&pathrev=167882

Security fix: integer overflow on checking image size

Test is left in another CL (codereview.chromiu,.org/11274036) to avoid conflict there.  Hope it's fine.

BUG= 160926 


Review URL: https://chromiumcodereview.appspot.com/11410081
------------------------------------------------------------------------
Status: Fixed

Comment 4 by cdn@chromium.org, Nov 15 2012

Labels: Merge-Approved
Status: FixUnreleased
Flipping flags so that we can get this merged back to 23 and 24

Comment 5 by cdn@chromium.org, Nov 26 2012

Labels: Audit-IPC
Adding Justin's flag
Project Member

Comment 6 by bugdroid1@chromium.org, Nov 30 2012

Labels: -Merge-Approved merge-merged-1271
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=170569

------------------------------------------------------------------------
r170569 | cevans@chromium.org | 2012-11-30T22:11:17.274805Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1271/src/webkit/plugins/ppapi/ppb_image_data_impl.cc?r1=170569&r2=170568&pathrev=170569

Merge 167882 - Security fix: integer overflow on checking image size

Test is left in another CL (codereview.chromiu,.org/11274036) to avoid conflict there.  Hope it's fine.

BUG= 160926 


Review URL: https://chromiumcodereview.appspot.com/11410081

TBR=victorhsieh@chromium.org
Review URL: https://codereview.chromium.org/11414272
------------------------------------------------------------------------
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 30 2012

Labels: merge-merged-1312
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=170570

------------------------------------------------------------------------
r170570 | cevans@chromium.org | 2012-11-30T22:12:57.541806Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/webkit/plugins/ppapi/ppb_image_data_impl.cc?r1=170570&r2=170569&pathrev=170570

Merge 167882 - Security fix: integer overflow on checking image size

Test is left in another CL (codereview.chromiu,.org/11274036) to avoid conflict there.  Hope it's fine.

BUG= 160926 


Review URL: https://chromiumcodereview.appspot.com/11410081

TBR=victorhsieh@chromium.org
Review URL: https://codereview.chromium.org/11416296
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -SecSeverity-High SecSeverity-Medium CVE-2012-5143
Looking at where the bug manifests, I think this might be a PPAPI -> renderer escalation? It's hard to tell, but I don't think it's in the browser process. Lowering severity to Medium.
Status: Fixed
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Feature-Plugins-Pepper -Mstone-23 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Medium Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Cr-Internals M-23 Cr-Content-Plugins-Pepper Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 16 by bugdroid1@chromium.org, Apr 5 2013

Labels: Cr-Blink
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 6 2013

Labels: Cr-Internals-Plugins
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-Plugins-Pepper Cr-Internals-Plugins-Pepper
Project Member

Comment 19 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment