Closed Bug 1194007 Opened 9 years ago Closed 9 years ago

Crash [@ unsigned long be::_peek] with cmap

Categories

(Core :: Graphics: Text, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-moderate, testcase, Whiteboard: sec-high+ without OTS [gfx-noted])

Crash Data

Attachments

(1 file)

The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility).

Backtrace:

==6983==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000b010 at pc 0x7f1c5ebcbea4 bp 0x7fff3e7c2dd0 sp 0x7fff3e7c2dc8
READ of size 1 at 0x60b00000b010 thread T0
    #0 0x7f1c5ebcbea3 in unsigned long be::_peek<1>(unsigned char const*) /src/inc/Endian.h:77
    #1 0x7f1c5ebcbea3 in unsigned long be::_peek<2>(unsigned char const*) /src/inc/Endian.h:50
    #2 0x7f1c5ebcbea3 in unsigned short be::peek<unsigned short>(void const*) /src/inc/Endian.h:55
    #3 0x7f1c5ebcbea3 in graphite2::TtfUtil::CmapSubtable4Lookup(void const*, unsigned int, int) /src/TtfUtil.cpp:980
    #4 0x7f1c5eaffce8 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable4NextCodepoint, &graphite2::TtfUtil::CmapSubtable4Lookup>(unsigned short**, void const*, unsigned int) /src/CmapCache.cpp:76
    #5 0x7f1c5eafd88f in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) /src/CmapCache.cpp:107
    #6 0x7f1c5eb3e55a in graphite2::Face::readGlyphs(unsigned int) /src/Face.cpp:108
    #7 0x7f1c5eadba7b in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:54
    #8 0x7f1c5eadef79 in gr_make_face_with_ops /src/gr_face.cpp:89
    #9 0x7f1c5eadef79 in gr_make_file_face /src/gr_face.cpp:242
    #10 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618
    #11 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770
    #12 0x7f1c5e71cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/inc/Endian.h:77 unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
  0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
=>0x0c167fff9600: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==6983==ABORTING


Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file in Firefox and it is rejected by OTS with:

cmap: Bad subtable offset (604) in cmap subtable 1
cmap: failed to parse table

However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
Attached file Testcase
Flags: needinfo?(martin_hosken)
Fixed upstream
Flags: needinfo?(martin_hosken)
Keywords: sec-moderate
Whiteboard: sec-high+ without OTS
Group: core-security → gfx-core-security
Depends on: 1207207
fixed in central
(In reply to martin_hosken from comment #3)
> fixed in central

Can we mark this bug fixed? (sorry for the triage churn)
No longer depends on: 1207207
Whiteboard: sec-high+ without OTS → sec-high+ without OTS [gfx-noted]
Fixed by bug 1200098.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: