MSan: use-of-uninitialized-value in pcf_read_TOC (pcfread.c:105)

RESOLVED INVALID

Status

()

Core
Layout: Text
--
critical
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

({crash, csectype-uninitialized, testcase})

Trunk
crash, csectype-uninitialized, testcase
Points:
---

Firefox Tracking Flags

(firefox44 affected)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8668567 [details]
call_stack.txt

This was found while fuzzing freetype 2.5.5

This appears to be a fairly serious issue the the uninitialized values is used as a size in a memory allocation. This can lead to a crash or worse.

This likely also affects Firefox OS since I believe it is used in the aosp kernel.
(Reporter)

Comment 1

2 years ago
Created attachment 8668568 [details]
test_case.ttf
(Reporter)

Comment 2

2 years ago
Verified that this is in both 2.5.5 and the latest released version 2.6.
(Reporter)

Comment 3

2 years ago
This test case should be a .pcf file (Portable Compiled Format) which we do not support in firefox. So this is likely invalid unless it is used in fxos for some reason.
I don't know that we support this format anywhere. Even if the code is present on FxOS you either have the built-in fonts (which wouldn't be an attack) or downloadable web fonts which are WOFF (opentype).
I don't know that android supports this format either, but we could report it upstream to freetype and AOSP anyway.
I don't believe AOSP will be directly affected by this either, but it should definitely be reported upstream to freetype.
Group: core-security → layout-core-security
(Reporter)

Comment 7

2 years ago
Already reported and fixed upstream.

https://savannah.nongnu.org/bugs/?func=detailitem&item_id=46109
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.