Closed
Bug 1034230
Opened 10 years ago
Closed 10 years ago
[cairo] Potential use of uninitialized |stack| in cairo_type1_font_subset_look_for_seac
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla33
| Tracking | Status | |
|---|---|---|
| firefox33 | --- | fixed |
| firefox-esr24 | --- | unaffected |
| firefox-esr31 | --- | wontfix |
People
(Reporter: erahm, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, sec-low, Whiteboard: [CID 749688][adv-main33+])
Attachments
(1 file)
|
1.18 KB,
patch
|
jrmuizel
:
review+
|
Details | Diff | Splinter Review |
In |cairo_type1_font_subset_look_for_seac| under case TYPE1_CHARSTRING_COMMAND_SEAC |stack[3]| and |stack[4]| are accessed with no guarantee they are initialized. http://dxr.mozilla.org/mozilla-central/source/gfx/cairo/cairo/src/cairo-type1-subset.c#842,873,877
|
Assignee | |
Comment 1•10 years ago
|
||
It looks like this code has been significantly revised in upstream cairo, and no longer contains this flaw. (Compare http://cgit.freedesktop.org/cairo/tree/src/cairo-type1-subset.c.)
|
|
Assignee | |
Comment 2•10 years ago
|
||
If we want to patch this locally, I think a simple check on |sp| is all we need.
Attachment #8450469 -
Flags: review?(jmuizelaar)
|
||
Updated•10 years ago
|
Attachment #8450469 -
Flags: review?(jmuizelaar) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
AFAICS, there's not likely to be a major security issue here. If we encounter a type1 font with an incorrectly-used seac operator, and run the subsetting code here (e.g. to generate a PDF?), it's possible we'll collect the wrong glyphs in the subset to be embedded, and end up with something that doesn't render entirely correctly, but that's probably all the badness that'll happen. If so, I guess this could be rated sec-low. Does that sound reasonable to you, Jeff?
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 4•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/170873fd6b99
Assignee: nobody → jfkthame
Flags: needinfo?(jmuizelaar)
Target Milestone: --- → mozilla33
|
||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/170873fd6b99
|
||
Updated•10 years ago
|
status-firefox-esr24:
--- → unaffected
|
||
Updated•10 years ago
|
Whiteboard: [CID 749688] → [CID 749688][adv-main33+]
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
|
||
Comment 6•10 years ago
|
||
Rating of sec-low + found by code audit via Coverity = [qe-verify-].
Flags: qe-verify-
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•