Closed Bug 1194008 Opened 9 years ago Closed 9 years ago

Crash [@ graphite2::vm::Machine::Code::decoder::fetch_opcode]

Categories

(Core :: Graphics: Text, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-moderate, testcase, Whiteboard: sec-high or worse without OTS [gfx-noted])

Crash Data

Attachments

(1 file)

57.83 KB, application/octet-stream
Details
The attached testcase crashes on graphite2 revision fa8d4398dded (run through the gr2fonttest command line utility).

Backtrace:

==11360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f753 at pc 0x7f66ec39fde7 bp 0x7fff10288ff0 sp 0x7fff10288fe8
READ of size 1 at 0x61a00001f753 thread T0
    #0 0x7f66ec39fde6 in graphite2::vm::Machine::Code::decoder::fetch_opcode(unsigned char const*) /src/Code.cpp:369
    #1 0x7f66ec38f870 in graphite2::vm::Machine::Code::decoder::load(unsigned char const*, unsigned char const*) /src/Code.cpp:254
    #2 0x7f66ec38f870 in graphite2::vm::Machine::Code::Code(bool, unsigned char const*, unsigned char const*, unsigned char, unsigned short, graphite2::Silf const&, graphite2::Face const&, graphite2::passtype, unsigned char*&) /src/Code.cpp:194
    #3 0x7f66ec40cf0c in graphite2::Pass::readRules(unsigned char const*, unsigned long, unsigned char const*, unsigned short const*, unsigned short const*, unsigned char const*, unsigned short const*, unsigned char const*, graphite2::Face&, graphite2::passtype, graphite2::Error&) /src/Pass.cpp:238
    #4 0x7f66ec40a99c in graphite2::Pass::readPass(unsigned char const*, unsigned long, unsigned long, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /src/Pass.cpp:183
    #5 0x7f66ec439b62 in graphite2::Silf::readGraphite(unsigned char const*, unsigned long, graphite2::Face&, unsigned int) /src/Silf.cpp:212
    #6 0x7f66ec3cdfb8 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /src/Face.cpp:149
    #7 0x7f66ec369bef in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:59
    #8 0x7f66ec36cf79 in gr_make_face_with_ops /src/gr_face.cpp:89
    #9 0x7f66ec36cf79 in gr_make_file_face /src/gr_face.cpp:242
    #10 0x48ed05 in Parameters::testFileFont() const /gr2fonttest/gr2FontTest.cpp:618
    #11 0x49248b in main /gr2fonttest/gr2FontTest.cpp:770
    #12 0x7f66ebfaaec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x486c4c in _start (/build/gr2fonttest/gr2fonttest+0x486c4c)

0x61a00001f753 is located 0 bytes to the right of 1235-byte region [0x61a00001f280,0x61a00001f753)
allocated by thread T0 here:
    #0 0x46df61 in __interceptor_malloc (/build/gr2fonttest/gr2fonttest+0x46df61)
    #1 0x7f66ec45ebfe in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) /src/FileFace.cpp:90
    #2 0x7f66ec3d079f in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /src/Face.cpp:274
    #3 0x7f66ec3698e7 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /src/gr_face.cpp:49
    #4 0x7f66ec36cf79 in gr_make_face_with_ops /src/gr_face.cpp:89
    #5 0x7f66ec36cf79 in gr_make_file_face /src/gr_face.cpp:242

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/Code.cpp:369 graphite2::vm::Machine::Code::decoder::fetch_opcode(unsigned char const*)
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11360==ABORTING


Note that this is on graphite2 trunk and without OTS in front of it. We tested this particular file in Firefox and it is rejected by OTS with:

post: Bad string index 3868
post: failed to parse table

However, according to cdiehl that doesn't necessarily mean that the bug cannot be reached through OTS (e.g. by fixing up the testcase enough to make it through). Marking s-s until we confirmed that this bug cannot be reached/exploited with OTS enabled.
Attached file Testcase
Fixed upstream
By which version or patch?
Flags: needinfo?(martin_hosken)
Keywords: sec-moderate
Whiteboard: sec-high or worse without OTS
Fixed in revision 7b3097892177 but we are now nearly 50 revisions later on ad3b10404047 or just take the head/tip revision.
Group: core-security → gfx-core-security
Depends on: 1207207
fixed in central
Flags: needinfo?(martin_hosken)
No longer depends on: 1207207
Whiteboard: sec-high or worse without OTS → sec-high or worse without OTS [gfx-noted]
Fixed by bug 1200098.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.