Closed
Bug 1207667
Opened 9 years ago
Closed 9 years ago
heap-buffer-overwrite in BrotliFileInputFunction
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | unaffected |
| firefox44 | + | fixed |
| firefox-esr38 | --- | unaffected |
People
(Reporter: tsmith, Unassigned)
References
Details
(4 keywords)
Attachments
(2 files, 2 obsolete files)
Not sure which component this should go under so I copied bug 366559 for now. I am fuzzing the latest version of the code from: https://github.com/google/brotli
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
||
Comment 3•9 years ago
|
||
We are looking at this
|
||
Comment 4•9 years ago
|
||
I could reproduce this on the github version, and confirmed that it is already fixed internally. We will push a new decoder to google/brotli repo soon.
|
|
||
Comment 5•9 years ago
|
||
I updated https://github.com/google/brotli, could you verify that it is fixed?
|
||
Updated•9 years ago
|
Flags: needinfo?(twsmith)
|
|
||
Updated•9 years ago
|
Group: core-security → network-core-security
|
|
Reporter | |
Comment 6•9 years ago
|
||
I am still able to reproduce this issue. I did a git pull and I am not at https://github.com/google/brotli/commit/24dca87f96dcd29a2803ffa697ea1d823d1ea703.
Attachment #8664955 -
Attachment is obsolete: true
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 7•9 years ago
|
||
updated test case
Attachment #8664956 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 8•9 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #6) > Created attachment 8665675 [details] > valgrid_output.txt > > I am still able to reproduce this issue. > > I did a git pull and I am not at > https://github.com/google/brotli/commit/ > 24dca87f96dcd29a2803ffa697ea1d823d1ea703. Typo :) I am now at https://github.com/google/brotli/commit/24dca87f96dcd29a2803ffa697ea1d823d1ea703
|
|
||
Comment 9•9 years ago
|
||
We fixed one more bug in decoder, the new test case is fixed in the latest commit: https://github.com/google/brotli/commit/6dd53d618377e0efd3b0d2de9f03c284ccf81695
|
|
Reporter | |
Comment 10•9 years ago
|
||
That seems to have fixed the bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Comment 11•9 years ago
|
||
This bug should remain open until the upstream fix has landed on mozilla-central.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•9 years ago
|
status-firefox43:
--- → unaffected
status-firefox44:
--- → affected
status-firefox-esr38:
--- → unaffected
|
|
||
Comment 12•9 years ago
|
||
[Tracking Requested - why for this release]:
tracking-firefox44:
--- → ?
Keywords: sec-critical
|
||
Comment 13•9 years ago
|
||
I can verify that cset from github 933bb9bd800c8f5f7f6a02382d33c902a98ef73a makes valgrind pass the testcase. I can also verify that the cset we are shipping on >=43 for woff2 also passes the testcase.
|
|
||
Comment 14•9 years ago
|
||
bug 1207298 checked in a library update that will also resolve this issue.
Group: network-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Tracked as it's sec-critical.
FF44 status is fixed based on comment 14.
Flags: needinfo?(mcmanus)
|
|
||
Comment 17•9 years ago
|
||
I'm clearing the ni flag because I don't see a question to be answered.
Flags: needinfo?(mcmanus)
|
||
Comment 18•9 years ago
|
||
| noise | ||
(In reply to Patrick McManus [:mcmanus] from comment #17) > I'm clearing the ni flag because I don't see a question to be answered. Sorry about that. :)
|
|
Reporter | |
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Flags: needinfo?(twsmith)
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•