In |cairo_type1_font_subset_look_for_seac| under case TYPE1_CHARSTRING_COMMAND_SEAC |stack| and |stack| are accessed with no guarantee they are initialized. http://dxr.mozilla.org/mozilla-central/source/gfx/cairo/cairo/src/cairo-type1-subset.c#842,873,877
It looks like this code has been significantly revised in upstream cairo, and no longer contains this flaw. (Compare http://cgit.freedesktop.org/cairo/tree/src/cairo-type1-subset.c.)
Created attachment 8450469 [details] [diff] [review] handle bad 'seac' in type1 charstring. If we want to patch this locally, I think a simple check on |sp| is all we need.
Attachment #8450469 - Flags: review?(jmuizelaar)
Attachment #8450469 - Flags: review?(jmuizelaar) → review+
AFAICS, there's not likely to be a major security issue here. If we encounter a type1 font with an incorrectly-used seac operator, and run the subsetting code here (e.g. to generate a PDF?), it's possible we'll collect the wrong glyphs in the subset to be embedded, and end up with something that doesn't render entirely correctly, but that's probably all the badness that'll happen. If so, I guess this could be rated sec-low. Does that sound reasonable to you, Jeff?
Assignee: nobody → jfkthame
Target Milestone: --- → mozilla33
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox33: --- → fixed
Resolution: --- → FIXED
status-firefox-esr31: --- → wontfix
Rating of sec-low + found by code audit via Coverity = [qe-verify-].
You need to log in before you can comment on or make changes to this bug.