[cairo] Potential use of uninitialized |stack| in cairo_type1_font_subset_look_for_seac

RESOLVED FIXED in Firefox 33

Status

()

RESOLVED FIXED
5 years ago
7 months ago

People

(Reporter: erahm, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {coverity, sec-low})

Trunk
mozilla33
coverity, sec-low
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox33 fixed, firefox-esr24 unaffected, firefox-esr31 wontfix)

Details

(Whiteboard: [CID 749688][adv-main33+])

Attachments

(1 attachment)

In  |cairo_type1_font_subset_look_for_seac| under case TYPE1_CHARSTRING_COMMAND_SEAC |stack[3]| and |stack[4]| are accessed with no guarantee they are initialized.

http://dxr.mozilla.org/mozilla-central/source/gfx/cairo/cairo/src/cairo-type1-subset.c#842,873,877
(Assignee)

Comment 1

5 years ago
It looks like this code has been significantly revised in upstream cairo, and no longer contains this flaw. (Compare http://cgit.freedesktop.org/cairo/tree/src/cairo-type1-subset.c.)
(Assignee)

Comment 2

5 years ago
Created attachment 8450469 [details] [diff] [review]
handle bad 'seac' in type1 charstring.

If we want to patch this locally, I think a simple check on |sp| is all we need.
Attachment #8450469 - Flags: review?(jmuizelaar)
Attachment #8450469 - Flags: review?(jmuizelaar) → review+
(Assignee)

Comment 3

5 years ago
AFAICS, there's not likely to be a major security issue here. If we encounter a type1 font with an incorrectly-used seac operator, and run the subsetting code here (e.g. to generate a PDF?), it's possible we'll collect the wrong glyphs in the subset to be embedded, and end up with something that doesn't render entirely correctly, but that's probably all the badness that'll happen.

If so, I guess this could be rated sec-low. Does that sound reasonable to you, Jeff?
Flags: needinfo?(jmuizelaar)
Keywords: sec-low
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/170873fd6b99
Assignee: nobody → jfkthame
Flags: needinfo?(jmuizelaar)
Target Milestone: --- → mozilla33
https://hg.mozilla.org/mozilla-central/rev/170873fd6b99
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox33: --- → fixed
Resolution: --- → FIXED
status-firefox-esr24: --- → unaffected
Whiteboard: [CID 749688] → [CID 749688][adv-main33+]
status-firefox-esr31: --- → wontfix
Rating of sec-low + found by code audit via Coverity = [qe-verify-].
Flags: qe-verify-

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.