Closed
Bug 1194007
Opened 9 years ago
Closed 9 years ago
Crash [@ unsigned long be::_peek] with cmap
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: sec-high+ without OTS [gfx-noted])
Crash Data
Attachments
(1 file)
|
56.69 KB,
application/octet-stream
|
Details |
The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility).
Backtrace:
==6983==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000b010 at pc 0x7f1c5ebcbea4 bp 0x7fff3e7c2dd0 sp 0x7fff3e7c2dc8
READ of size 1 at 0x60b00000b010 thread T0
#0 0x7f1c5ebcbea3 in unsigned long be::_peek<1>(unsigned char const*) /src/inc/Endian.h:77
#1 0x7f1c5ebcbea3 in unsigned long be::_peek<2>(unsigned char const*) /src/inc/Endian.h:50
#2 0x7f1c5ebcbea3 in unsigned short be::peek<unsigned short>(void const*) /src/inc/Endian.h:55
#3 0x7f1c5ebcbea3 in graphite2::TtfUtil::CmapSubtable4Lookup(void const*, unsigned int, int) /src/TtfUtil.cpp:980
#4 0x7f1c5eaffce8 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable4NextCodepoint, &graphite2::TtfUtil::CmapSubtable4Lookup>(unsigned short**, void const*, unsigned int) /src/CmapCache.cpp:76
#5 0x7f1c5eafd88f in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) /src/CmapCache.cpp:107
#6 0x7f1c5eb3e55a in graphite2::Face::readGlyphs(unsigned int) /src/Face.cpp:108
#7 0x7f1c5eadba7b in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:54
#8 0x7f1c5eadef79 in gr_make_face_with_ops /src/gr_face.cpp:89
#9 0x7f1c5eadef79 in gr_make_file_face /src/gr_face.cpp:242
#10 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618
#11 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770
#12 0x7f1c5e71cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/inc/Endian.h:77 unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
=>0x0c167fff9600: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==6983==ABORTING
Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file in Firefox and it is rejected by OTS with:
cmap: Bad subtable offset (604) in cmap subtable 1
cmap: failed to parse table
However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
|
||
Comment 2•9 years ago
|
||
Fixed upstream
|
||
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
|
||
Updated•9 years ago
|
Keywords: sec-moderate
Whiteboard: sec-high+ without OTS
|
||
Updated•9 years ago
|
Group: core-security → gfx-core-security
|
|
||
Comment 3•9 years ago
|
||
fixed in central
|
||
Comment 4•9 years ago
|
||
(In reply to martin_hosken from comment #3)
> fixed in central
Can we mark this bug fixed? (sorry for the triage churn)
No longer depends on: 1207207
|
|
||
Updated•9 years ago
|
Whiteboard: sec-high+ without OTS → sec-high+ without OTS [gfx-noted]
|
|
||
Comment 5•9 years ago
|
||
Fixed by bug 1200098.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
||
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•