Crash [@ graphite2::TtfUtil::HorMetrics]

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks 1 bug, {crash, sec-moderate, testcase})

Trunk
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 wontfix, firefox43 fixed, firefox44 fixed)

Details

(Whiteboard: sec-high+ without OTS [gfx-noted][adv-main43+][post-critsmash-triage], crash signature)

Attachments

(1 attachment)

45.55 KB, application/octet-stream
Details
Reporter

Description

4 years ago
The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility).

Backtrace:

==28115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f706 at pc 0x7f3bcd019dad bp 0x7fffd5cd5d40 sp 0x7fffd5cd5d38
READ of size 2 at 0x61a00001f706 thread T0
    #0 0x7f3bcd019dac in graphite2::TtfUtil::HorMetrics(unsigned short, void const*, unsigned long, void const*, int&, unsigned int&) /src/TtfUtil.cpp:801:16
    #1 0x7f3bccfa3f6f in graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const /src/GlyphCache.cpp:353
    #2 0x7f3bccfa2406 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) /src/GlyphCache.cpp:139
    #3 0x7f3bccf8e304 in graphite2::Face::readGlyphs(unsigned int) /src/Face.cpp:98
    #4 0x7f3bccf2ba7b in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:54
    #5 0x7f3bccf2ef79 in gr_make_face_with_ops /src/gr_face.cpp:89
    #6 0x7f3bccf2ef79 in gr_make_file_face /src/gr_face.cpp:242
    #7 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618
    #8 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770
    #9 0x7f3bccb6cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c)

0x61a00001f706 is located 0 bytes to the right of 1158-byte region [0x61a00001f280,0x61a00001f706)
allocated by thread T0 here:
    #0 0x46df61 in __interceptor_malloc (/build/gr2fonttest/gr2fonttest+0x46df61)
    #1 0x7f3bcd020bfe in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) /src/FileFace.cpp:90
    #2 0x7f3bccf9279f in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /src/Face.cpp:274
    #3 0x7f3bccfaa5c9 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) /src/GlyphCache.cpp:248
    #4 0x7f3bccfa1211 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) /src/GlyphCache.cpp:123
    #5 0x7f3bccf8e304 in graphite2::Face::readGlyphs(unsigned int) /src/Face.cpp:98

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/TtfUtil.cpp:801 graphite2::TtfUtil::HorMetrics(unsigned short, void const*, unsigned long, void const*, int&, unsigned int&)
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0:[06]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==28115==ABORTING


Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file and Firefox and it is rejected by OTS with:

metrics: Bad number of metrics 3617
hhea: Failed to parse horizontal metrics
hhea: Failed to parse table

However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
Reporter

Comment 1

4 years ago
Posted file Testcase
Reporter

Updated

4 years ago
Flags: needinfo?(martin_hosken)

Comment 2

4 years ago
Fixed upstream
Flags: needinfo?(martin_hosken)
Keywords: sec-moderate
Whiteboard: sec-high+ without OTS

Updated

4 years ago
Group: core-security → gfx-core-security
Depends on: 1207207
Whiteboard: sec-high+ without OTS → sec-high+ without OTS [gfx-noted]

Comment 3

4 years ago
fixed in central (and aurora)
Fixed by bug 1200098.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Depends on: 1200098
No longer depends on: 1207207
Group: gfx-core-security → core-security-release
Whiteboard: sec-high+ without OTS [gfx-noted] → sec-high+ without OTS [gfx-noted][adv-main43+]
Whiteboard: sec-high+ without OTS [gfx-noted][adv-main43+] → sec-high+ without OTS [gfx-noted][adv-main43+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.