User:VladVukicevic/CairoSecReview

From MozillaWiki
Jump to: navigation, search

Overview

Continuing cairo updates for performance and/or feature availability to the low-level platform. No cairo features are exposed to content script, but features such as SVG and canvas are a fairly thin veneer over cairo in some cases.

Security and Privacy

  • What security issues do you address in your project?

None.

  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?

No config files/prefs.

  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.

The main risks are buffer and integer overflows; the graphics layer deals with large buffers (often with content-provided dimensions) and large numbers that are often multiplied (width * height). A number of problems in these areas have been identified and resolved in the past.

Exported APIs

None directly to content; exports the cairo interface documented in cairo.h for consumption by Thebes, which is itself used directly by layout, by SVG, and by canvas.

Module interactions

None.

Data

None; no data is read/written directly. However, low-level font rendering will happen at this layer by interacting with the underlying operating system, which will at a minimum read font data.

Reliability

  • What failure modes or decision points are presented to the user?

None. Internally, in case of error, an internal error flag is set and rendering stops to that destination context. Continuing to make calls against a context or surface that's in an error state is valid; those operations are just no-ops.

configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?

No.

  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]

Yes, many; set during configure time per-platform.

Relationships to other projects - are there related projects in the community?

Cairo is an external project in which we are heavily involved -- the canonical upstream is at http://www.cairographics.org/. The maintainers are involved and aware of our development work.

Review Comments

  • check w/Jesse to make sure Canvas fuzzer is regularly run
  • consider hiring a one-time security audit of the code
  • get access to cairo Coverity results