Closed
Bug 1193757
Opened 9 years ago
Closed 9 years ago
Crash [@ graphite2::vm::Machine::Code::decoder::emit_opcode]
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: sec-high+ without OTS [gfx-noted][adv-main43+][post-critsmash-triage])
Crash Data
Attachments
(1 file)
57.82 KB,
application/octet-stream
|
Details |
The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility). Backtrace: ==11150==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f753 at pc 0x7f5d80cf5439 bp 0x7fffe01ccaa0 sp 0x7fffe01cca98 READ of size 1 at 0x61a00001f753 thread T0 #0 0x7f5d80cf5438 in graphite2::vm::Machine::Code::decoder::emit_opcode(graphite2::vm::opcode, unsigned char const*&) /src/Code.cpp:553 #1 0x7f5d80cde90a in graphite2::vm::Machine::Code::decoder::load(unsigned char const*, unsigned char const*) /src/Code.cpp:260 #2 0x7f5d80cde90a in graphite2::vm::Machine::Code::Code(bool, unsigned char const*, unsigned char const*, unsigned char, unsigned short, graphite2::Silf const&, graphite2::Face const&, graphite2::passtype, unsigned char*&) /src/Code.cpp:194 #3 0x7f5d80d5bf0c in graphite2::Pass::readRules(unsigned char const*, unsigned long, unsigned char const*, unsigned short const*, unsigned short const*, unsigned char const*, unsigned short const*, unsigned char const*, graphite2::Face&, graphite2::passtype, graphite2::Error&) /src/Pass.cpp:238 #4 0x7f5d80d5999c in graphite2::Pass::readPass(unsigned char const*, unsigned long, unsigned long, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /src/Pass.cpp:183 #5 0x7f5d80d88b62 in graphite2::Silf::readGraphite(unsigned char const*, unsigned long, graphite2::Face&, unsigned int) /src/Silf.cpp:212 #6 0x7f5d80d1cfb8 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /src/Face.cpp:149 #7 0x7f5d80cb8bef in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:59 #8 0x7f5d80cbbf79 in gr_make_face_with_ops /src/gr_face.cpp:89 #9 0x7f5d80cbbf79 in gr_make_file_face /src/gr_face.cpp:242 #10 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618 #11 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770 #12 0x7f5d808f9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #13 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c) 0x61a00001f753 is located 0 bytes to the right of 1235-byte region [0x61a00001f280,0x61a00001f753) allocated by thread T0 here: #0 0x46df61 in __interceptor_malloc (/build/gr2fonttest/gr2fonttest+0x46df61) #1 0x7f5d80dadbfe in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) /src/FileFace.cpp:90 #2 0x7f5d80d1f79f in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /src/Face.cpp:274 #3 0x7f5d80cb88e7 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:49 #4 0x7f5d80cbbf79 in gr_make_face_with_ops /src/gr_face.cpp:89 #5 0x7f5d80cbbf79 in gr_make_file_face /src/gr_face.cpp:242 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/Code.cpp:553 graphite2::vm::Machine::Code::decoder::emit_opcode(graphite2::vm::opcode, unsigned char const*&) Shadow bytes around the buggy address: 0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fffbee0: 00 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa 0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==11150==ABORTING Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file and Firefox and it is rejected by OTS with the message: "Sill: table overruns end of file" However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
Reporter | ||
Comment 1•9 years ago
|
||
Comment 3•9 years ago
|
||
Fixed upstream
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
Updated•9 years ago
|
Keywords: sec-moderate
Whiteboard: sec-high+ without OTS
Updated•9 years ago
|
Group: core-security → gfx-core-security
Comment 4•9 years ago
|
||
(In reply to martin_hosken from comment #3) > Fixed upstream Could you link to the upstream fix? I assume we'll have to cherry pick the fix or update our version of graphite2 to that revision.
Flags: needinfo?(martin_hosken)
Comment 5•9 years ago
|
||
It was fixed in v1.3.2 which is applied in central, and also 1.3.3 which is proposed for inclusion in central and to be uplifted to aurora.
Flags: needinfo?(martin_hosken)
Updated•9 years ago
|
Whiteboard: sec-high+ without OTS → sec-high+ without OTS [gfx-noted]
Comment 6•9 years ago
|
||
...which means this was fixed for gecko in bug 1200098 (the update to graphite 1.3.2).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
status-firefox43:
--- → fixed
status-firefox44:
--- → fixed
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Updated•8 years ago
|
status-firefox42:
--- → wontfix
Whiteboard: sec-high+ without OTS [gfx-noted] → sec-high+ without OTS [gfx-noted][adv-main43+]
Updated•8 years ago
|
Whiteboard: sec-high+ without OTS [gfx-noted][adv-main43+] → sec-high+ without OTS [gfx-noted][adv-main43+][post-critsmash-triage]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•