Bug 1242322 (CVE-2016-1969)

Crash - Out of Bounds Write in Graphite setAttr Function

VERIFIED FIXED

Status

()

defect
VERIFIED FIXED
3 years ago
2 years ago

People

(Reporter: temp66, Unassigned)

Tracking

({csectype-bounds, sec-critical})

46 Branch
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox44- wontfix, firefox45+ verified, firefox46+ verified, firefox47+ verified, firefox-esr3844+ verified)

Details

(Whiteboard: [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093)

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160106234723

Steps to reproduce:

Loaded a page that used a malicious/corrupt Graphite font file.
The ASAN build of firefox 46.0a1, downloaded from https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/ was used.


Actual results:

The tab crashed with ASAN reporting an out of bounds write on the heap.
See the attached stack trace.


Expected results:

No crash.
(Reporter)

Comment 1

3 years ago
Posted file Font file test case
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Product: Firefox → Core
Flags: sec-bounty?
Component: Graphics → Graphics: Text
Tyson was able to reproduce using ASAN. This testcase doesn't crash without ASAN but that doesn't mean there's not a problem.
Group: core-security → gfx-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-critical
Martin, here's a naughty font for you...
Flags: needinfo?(martin_hosken)
Jonathan (or anyone) can you also check to see if this also affects 45?
Flags: needinfo?(jfkthame)
Tyson, can you look into comment 5 for us, please?
Flags: needinfo?(jfkthame) → needinfo?(twsmith)
Martin, can you confirm if this one is fixed upstream? Which rev?

Comment 8

3 years ago
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Flags: needinfo?(martin_hosken)
I was unable to reproduce this issue on 45.
Flags: needinfo?(twsmith)
(In reply to martin_hosken from comment #8)
> fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829

For anybody who is curious, the full link seems to be:
https://github.com/silnrsi/graphite/commit/a8b3ac2aed0eb132cd80efe7de88f8153e73c829
(In reply to Jonathan Kew (:jfkthame) from comment #12)
> I believe this should be fixed in the latest inbound/aurora/beta builds.
> Could you confirm whether it can still be reproduced with any of these --
> thanks.
> 
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-
> linux64-asan/1455125082/
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-
> linux64-asan/1455106701/
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-beta-linux64-
> asan/1455107601/

Seems to be fixed. No repro on any of these builds.
Marking this as fixed for 45, 46, and 47.  So this may still affect 44?
I'm marking this fixed because 47 is fixed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #14)
> Marking this as fixed for 45, 46, and 47.  So this may still affect 44?

I expect so, as 44 is still on graphite 1.3.4.
Flags: sec-bounty? → sec-bounty+
Group: gfx-core-security → core-security-release
I'll assume ESR is also affected...
(In reply to Andrew McCreight [:mccr8] from comment #17)
> I'll assume ESR is also affected...

The same fixes landed on ESR38 in bug 1246093.
See Also: → CVE-2016-2799
Updating ESR38 status to Fixed based on comment 18 (and status from bug 1246093).
Depends on: 1243843, 1246093
Whiteboard: fixed in 1243843, on ESR in bug 1246093
I was able to reproduce this issue on Firefox 46.0a1 asan build (specified in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit.

Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10  	(20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11 and Windows 10 64-bit.
(In reply to Vasilica Mihasca, QA [:vasilica_mihasca] from comment #20)
> I was able to reproduce this issue on Firefox 46.0a1 asan build (specified
> in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit.
> 
> Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29),
> Firefox 45 beta 10  	(20160225145837) and Firefox 38.6.1esrpre
> tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11
> and Windows 10 64-bit.

This should be fixed in 46 and 45. Are you saying that you reproduced the original bug in 46?
Flags: needinfo?(vasilica.mihasca)
Whiteboard: fixed in 1243843, on ESR in bug 1246093 → [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093
Alias: CVE-2016-1969
(In reply to Al Billings [:abillings] from comment #21)

> This should be fixed in 46 and 45. Are you saying that you reproduced the
> original bug in 46?

I reproduced the initial issue using the firefox asan build specified by the reporter (https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/). 

In order to verify an issue I initially have to reproduce it using the affected build mentioned in Description and only after that to test it on latest versions.

So, as I specified in Comment 20, this issue is no longer reproducible on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832).
Flags: needinfo?(vasilica.mihasca)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.