Closed Bug 1210485 Opened 9 years ago Closed 9 years ago

MSan: use-of-uninitialized-value in pcf_read_TOC (pcfread.c:105)

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: tsmith, Unassigned)

Details

(Keywords: crash, csectype-uninitialized, testcase)

Attachments

(2 files)

call_stack.txt
1.17 KB, text/plain
Details
test_case.ttf
148 bytes, application/x-font-ttf
Details
Attached file call_stack.txt 
This was found while fuzzing freetype 2.5.5

This appears to be a fairly serious issue the the uninitialized values is used as a size in a memory allocation. This can lead to a crash or worse.

This likely also affects Firefox OS since I believe it is used in the aosp kernel.
Attached file test_case.ttf 

    
    

    
  
Verified that this is in both 2.5.5 and the latest released version 2.6.

    
    

    
  
This test case should be a .pcf file (Portable Compiled Format) which we do not support in firefox. So this is likely invalid unless it is used in fxos for some reason.

    
    

    
  
I don't know that we support this format anywhere. Even if the code is present on FxOS you either have the built-in fonts (which wouldn't be an attack) or downloadable web fonts which are WOFF (opentype).

    
    

    
  
I don't know that android supports this format either, but we could report it upstream to freetype and AOSP anyway.

    
    

    
  
I don't believe AOSP will be directly affected by this either, but it should definitely be reported upstream to freetype.
Group: core-security → layout-core-security

    
    

    
  
Already reported and fixed upstream.

https://savannah.nongnu.org/bugs/?func=detailitem&item_id=46109

    
  
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Group: layout-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: