[cairo] Potential use of uninitialized |stack| in cairo_type1_font_subset_look_for_seac

RESOLVED FIXED in Firefox 33

Status

()

defect
RESOLVED FIXED
5 years ago
Last year

People

(Reporter: erahm, Assigned: jfkthame)

Tracking

(Blocks 1 bug, {coverity, sec-low})

Trunk
mozilla33
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox33 fixed, firefox-esr24 unaffected, firefox-esr31 wontfix)

Details

(Whiteboard: [CID 749688][adv-main33+])

Attachments

(1 attachment)

In  |cairo_type1_font_subset_look_for_seac| under case TYPE1_CHARSTRING_COMMAND_SEAC |stack[3]| and |stack[4]| are accessed with no guarantee they are initialized.

http://dxr.mozilla.org/mozilla-central/source/gfx/cairo/cairo/src/cairo-type1-subset.c#842,873,877
It looks like this code has been significantly revised in upstream cairo, and no longer contains this flaw. (Compare http://cgit.freedesktop.org/cairo/tree/src/cairo-type1-subset.c.)
If we want to patch this locally, I think a simple check on |sp| is all we need.
Attachment #8450469 - Flags: review?(jmuizelaar)
Attachment #8450469 - Flags: review?(jmuizelaar) → review+
AFAICS, there's not likely to be a major security issue here. If we encounter a type1 font with an incorrectly-used seac operator, and run the subsetting code here (e.g. to generate a PDF?), it's possible we'll collect the wrong glyphs in the subset to be embedded, and end up with something that doesn't render entirely correctly, but that's probably all the badness that'll happen.

If so, I guess this could be rated sec-low. Does that sound reasonable to you, Jeff?
Flags: needinfo?(jmuizelaar)
Keywords: sec-low
https://hg.mozilla.org/integration/mozilla-inbound/rev/170873fd6b99
Assignee: nobody → jfkthame
Flags: needinfo?(jmuizelaar)
Target Milestone: --- → mozilla33
https://hg.mozilla.org/mozilla-central/rev/170873fd6b99
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: [CID 749688] → [CID 749688][adv-main33+]
Rating of sec-low + found by code audit via Coverity = [qe-verify-].
Flags: qe-verify-
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.