Closed Bug 1207298 Opened 9 years ago Closed 9 years ago

MSan: use-of-uninitialized-value in ReadHuffmanCode


(Core :: Networking: HTTP, defect)

Not set



Tracking Status
firefox43 --- wontfix
firefox44 --- fixed
firefox-esr38 --- unaffected


(Reporter: tsmith, Assigned: mcmanus)



(Keywords: csectype-uninitialized, sec-low, testcase, Whiteboard: [adv-main44+])


(3 files)

Attached file call_stack.txt
Not sure which component this should go under so I copied bug 366559 for now.

I am fuzzing the latest version of the code from:
Attached file test_case.compressed
Flags: needinfo?(jyrki.alakuijala)
Group: core-security → network-core-security
Flags: needinfo?(jyrki.alakuijala)
sorry, missed this -- we will look at this tomorrow
I am able to reproduce this with the latest github head. 

$ valgrind ./bro --decompress --input corrupt.xyzzy --output /dev/null --force

shows the violators. We will get this fixed on Monday or latest on Tuesday.
We found the problem. Fix will be committed on Monday.
(In reply to Eugene Kliuchnikov from comment #4)
> We found the problem. Fix will be committed on Monday.

Awesome, please let me know when it lands (cset would be great) and then I'll take a snapshot to gecko to fix 1207298 1207256 and 1207667

Dan - what do you think about backports and landings as it seems plausible (but unknown) that these could impact deployed woff2
Flags: needinfo?(
Flags: needinfo?(dveditz)
It is already landed to github (PR #183, commit 933bb9bd800c8f5f7f6a02382d33c902a98ef73a)
Flags: needinfo?(
It is possible that the older version of woff2.0/brotli you have snapshotted has a different collection of security problems. We practically rewrote the decoder during the summer.

Backports would not only fix possible security problems, but also give a significant performance boost. (about 2x speedup). 

If you want to backport brotli issues within woff 2.0, it is likely that you should just backport the whole woff 2.0 for simplicity. We reworked the API between woff 2.0 and brotli somewhere around April, so if your snapshot is older than that April 2015, you need to possibly get the whole woff 2.0 (not sure about this, just thinking aloud).
The new github repairs this testcase (and the ones in 1207256). Thanks!

I also tested against our old snapshot (for woff2) and it did not have a problem with this testcase under valgrind.
44 (44 introduced the http encoding) will use the same code for both http encodings and woff2. Not sure whether that would impact the ease of a backport.

I'm hoping that because the only known issue with the older code is 1207256 and that is sec-moderate we can just restrict the landing to nightly. Changing a whole library on a channel later in the pipeline is fraught with risk.
Attachment #8666811 - Flags: review?(jfkthame)
Assignee: nobody → mcmanus
If you need our help with testing the old brotli versions, we would be happy to help.
Attachment #8666811 - Flags: review?(jfkthame) → review+
It appears that WOFF2 wasn't enabled until Firefox 39 and if so we don't need to worry about it or brotli on the ESR-38 branch. Unless further testing of WOFF2 on Beta shows a pressing need to fix security bugs then your plan to let the library upgrade ride the trains is good.
Flags: needinfo?(dveditz)
bug 1207298 Backed out changeset 532703f2629f for build failures r=backout CLOSED TREE
one of the existing warnings in c code got promoted to an inline macro and thus popped up in directories that enforce fail on warning at compile time.
We're working on it now.
We have a fix for it. It will be pushed to github on Monday.
(In reply to Eugene Kliuchnikov from comment #18)
> We have a fix for it. It will be pushed to github on Monday.

Thanks! The only real problematic part was the one warning from bit_reader.h (signed/unsigned comparison) because that gets included outside of the brotli objects (the brotli objects are whitelisted into having that warning). I was able to fix it with a one line cast and landed that knowing that the next time we do an import there will be a fix upstream already.
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Group: network-core-security → core-security-release
Whiteboard: [adv-main44-]
Keywords: sec-low
Whiteboard: [adv-main44-] → [adv-main44+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.