Closed
Bug 1194008
Opened 9 years ago
Closed 9 years ago
Crash [@ graphite2::vm::Machine::Code::decoder::fetch_opcode]
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: sec-high or worse without OTS [gfx-noted])
Crash Data
Attachments
(1 file)
57.83 KB,
application/octet-stream
|
Details |
The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility). Backtrace: ==11360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f753 at pc 0x7f66ec39fde7 bp 0x7fff10288ff0 sp 0x7fff10288fe8 READ of size 1 at 0x61a00001f753 thread T0 #0 0x7f66ec39fde6 in graphite2::vm::Machine::Code::decoder::fetch_opcode(unsigned char const*) /src/Code.cpp:369 #1 0x7f66ec38f870 in graphite2::vm::Machine::Code::decoder::load(unsigned char const*, unsigned char const*) /src/Code.cpp:254 #2 0x7f66ec38f870 in graphite2::vm::Machine::Code::Code(bool, unsigned char const*, unsigned char const*, unsigned char, unsigned short, graphite2::Silf const&, graphite2::Face const&, graphite2::passtype, unsigned char*&) /src/Code.cpp:194 #3 0x7f66ec40cf0c in graphite2::Pass::readRules(unsigned char const*, unsigned long, unsigned char const*, unsigned short const*, unsigned short const*, unsigned char const*, unsigned short const*, unsigned char const*, graphite2::Face&, graphite2::passtype, graphite2::Error&) /src/Pass.cpp:238 #4 0x7f66ec40a99c in graphite2::Pass::readPass(unsigned char const*, unsigned long, unsigned long, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /src/Pass.cpp:183 #5 0x7f66ec439b62 in graphite2::Silf::readGraphite(unsigned char const*, unsigned long, graphite2::Face&, unsigned int) /src/Silf.cpp:212 #6 0x7f66ec3cdfb8 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /src/Face.cpp:149 #7 0x7f66ec369bef in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:59 #8 0x7f66ec36cf79 in gr_make_face_with_ops /src/gr_face.cpp:89 #9 0x7f66ec36cf79 in gr_make_file_face /src/gr_face.cpp:242 #10 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618 #11 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770 #12 0x7f66ebfaaec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #13 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c) 0x61a00001f753 is located 0 bytes to the right of 1235-byte region [0x61a00001f280,0x61a00001f753) allocated by thread T0 here: #0 0x46df61 in __interceptor_malloc (/build/gr2fonttest/gr2fonttest+0x46df61) #1 0x7f66ec45ebfe in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) /src/FileFace.cpp:90 #2 0x7f66ec3d079f in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /src/Face.cpp:274 #3 0x7f66ec3698e7 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:49 #4 0x7f66ec36cf79 in gr_make_face_with_ops /src/gr_face.cpp:89 #5 0x7f66ec36cf79 in gr_make_file_face /src/gr_face.cpp:242 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/Code.cpp:369 graphite2::vm::Machine::Code::decoder::fetch_opcode(unsigned char const*) Shadow bytes around the buggy address: 0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fffbee0: 00 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa 0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==11360==ABORTING Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file in Firefox and it is rejected by OTS with: post: Bad string index 3868 post: failed to parse table However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Fixed upstream
Comment 3•9 years ago
|
||
By which version or patch?
Comment 4•9 years ago
|
||
Fixed in revision 7b3097892177 but we are now nearly 50 revisions later on ad3b10404047 or just take the head/tip revision.
Updated•9 years ago
|
Group: core-security → gfx-core-security
Updated•9 years ago
|
No longer depends on: 1207207
Whiteboard: sec-high or worse without OTS → sec-high or worse without OTS [gfx-noted]
Comment 6•9 years ago
|
||
Fixed by bug 1200098.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•