Closed
Bug 1034230
Opened 11 years ago
Closed 11 years ago
[cairo] Potential use of uninitialized |stack| in cairo_type1_font_subset_look_for_seac
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox33 | --- | fixed |
firefox-esr24 | --- | unaffected |
firefox-esr31 | --- | wontfix |
People
(Reporter: erahm, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, sec-low, Whiteboard: [CID 749688][adv-main33+])
Attachments
(1 file)
1.18 KB,
patch
|
jrmuizel
:
review+
|
Details | Diff | Splinter Review |
In |cairo_type1_font_subset_look_for_seac| under case TYPE1_CHARSTRING_COMMAND_SEAC |stack[3]| and |stack[4]| are accessed with no guarantee they are initialized.
http://dxr.mozilla.org/mozilla-central/source/gfx/cairo/cairo/src/cairo-type1-subset.c#842,873,877
Assignee | ||
Comment 1•11 years ago
|
||
It looks like this code has been significantly revised in upstream cairo, and no longer contains this flaw. (Compare http://cgit.freedesktop.org/cairo/tree/src/cairo-type1-subset.c.)
Assignee | ||
Comment 2•11 years ago
|
||
If we want to patch this locally, I think a simple check on |sp| is all we need.
Attachment #8450469 -
Flags: review?(jmuizelaar)
Updated•11 years ago
|
Attachment #8450469 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Comment 3•11 years ago
|
||
AFAICS, there's not likely to be a major security issue here. If we encounter a type1 font with an incorrectly-used seac operator, and run the subsetting code here (e.g. to generate a PDF?), it's possible we'll collect the wrong glyphs in the subset to be embedded, and end up with something that doesn't render entirely correctly, but that's probably all the badness that'll happen.
If so, I guess this could be rated sec-low. Does that sound reasonable to you, Jeff?
Flags: needinfo?(jmuizelaar)
Assignee | ||
Comment 4•11 years ago
|
||
Assignee: nobody → jfkthame
Flags: needinfo?(jmuizelaar)
Target Milestone: --- → mozilla33
Comment 5•11 years ago
|
||
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
Updated•10 years ago
|
Whiteboard: [CID 749688] → [CID 749688][adv-main33+]
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
Comment 6•10 years ago
|
||
Rating of sec-low + found by code audit via Coverity = [qe-verify-].
Flags: qe-verify-
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•7 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•