[tbb-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 29 21:39:45 UTC 2015 

#17931: Tor Browser Hardened Crash
-------------------------------------+--------------------------
 Reporter:  pege                     |          Owner:  tbb-team
     Type:  defect                   |         Status:  new
 Priority:  Immediate                |      Milestone:
Component:  Tor Browser              |        Version:
 Severity:  Blocker                  |     Resolution:
 Keywords:  tbb-hardened, tbb-crash  |  Actual Points:
Parent ID:                           |         Points:
  Sponsor:                           |
-------------------------------------+--------------------------

Comment (by arthuredelstein):

 The bug here is exposed by an interaction between URL escaping and printf-
 like format specifiers. Here is what happens:

 1. The user enter's "let's encrypt" into the github search box.
 2. Github navigates to the resulting page
 `https://github.com/search?utf8=%E2%9C%93&q=let%27s+encrypt`, which
 attempts to extract canvas image data.
 3. `CanvasUtils::IsImageExtractionAllowed` attempts to log its blocking of
 the image extraction by calling `nsContentUtils::LogMessageToConsole`, to
 which it passes as the first argument a string containing the above URL.
 4. The `%27s` fragment in that URL is interpreted by `LogMessageToConsole`
 as a printf-like format specifier for a 27-character string. However, no
 such char array was passed to LogMessageToConsole, because this format
 specifier was unintended.

 So we have undefined behavior, which manifests as EXC_BAD_ACCESS when I
 run the debugger.

 To avoid this problem, I wrote the following revision to
 `CanvasUtils::IsImageExtractionAllowed` to use
 `nsIConsoleService::LogStringMessage` instead of `LogMessageToConsole`, as
 was used in the original Canvas patch. I manually tested this patch and
 the exception no longer occurs.

 Here is the patch for review:
 https://github.com/arthuredelstein/tor-browser/commit/17931

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17931#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list