Closed Bug 1242322 (CVE-2016-1969) Opened 5 years ago Closed 5 years ago
Crash - Out of Bounds Write in Graphite set
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20160106234723 Steps to reproduce: Loaded a page that used a malicious/corrupt Graphite font file. The ASAN build of firefox 46.0a1, downloaded from https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/ was used. Actual results: The tab crashed with ASAN reporting an out of bounds write on the heap. See the attached stack trace. Expected results: No crash.
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Product: Firefox → Core
Tyson was able to reproduce using ASAN. This testcase doesn't crash without ASAN but that doesn't mean there's not a problem.
Group: core-security → gfx-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Martin, here's a naughty font for you...
Jonathan (or anyone) can you also check to see if this also affects 45?
Tyson, can you look into comment 5 for us, please?
Flags: needinfo?(jfkthame) → needinfo?(twsmith)
Martin, can you confirm if this one is fixed upstream? Which rev?
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
I was unable to reproduce this issue on 45.
(In reply to martin_hosken from comment #8) > fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829 For anybody who is curious, the full link seems to be: https://github.com/silnrsi/graphite/commit/a8b3ac2aed0eb132cd80efe7de88f8153e73c829
I was able to reproduce this on the 44.0.1 release asan build (found here: https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-release-linux64-asan/1455041027/firefox-44.0.1.en-US.linux-x86_64-asan.tar.bz2).
I believe this should be fixed in the latest inbound/aurora/beta builds. Could you confirm whether it can still be reproduced with any of these -- thanks. http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-linux64-asan/1455125082/ http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1455106701/ http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1455107601/
(In reply to Jonathan Kew (:jfkthame) from comment #12) > I believe this should be fixed in the latest inbound/aurora/beta builds. > Could you confirm whether it can still be reproduced with any of these -- > thanks. > > http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound- > linux64-asan/1455125082/ > http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora- > linux64-asan/1455106701/ > http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-beta-linux64- > asan/1455107601/ Seems to be fixed. No repro on any of these builds.
Marking this as fixed for 45, 46, and 47. So this may still affect 44?
I'm marking this fixed because 47 is fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #14) > Marking this as fixed for 45, 46, and 47. So this may still affect 44? I expect so, as 44 is still on graphite 1.3.4.
I'll assume ESR is also affected...
(In reply to Andrew McCreight [:mccr8] from comment #17) > I'll assume ESR is also affected... The same fixes landed on ESR38 in bug 1246093.
Updating ESR38 status to Fixed based on comment 18 (and status from bug 1246093).
I was able to reproduce this issue on Firefox 46.0a1 asan build (specified in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit. Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11 and Windows 10 64-bit.
(In reply to Vasilica Mihasca, QA [:vasilica_mihasca] from comment #20) > I was able to reproduce this issue on Firefox 46.0a1 asan build (specified > in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit. > > Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), > Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre > tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11 > and Windows 10 64-bit. This should be fixed in 46 and 45. Are you saying that you reproduced the original bug in 46?
Whiteboard: fixed in 1243843, on ESR in bug 1246093 → [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093
(In reply to Al Billings [:abillings] from comment #21) > This should be fixed in 46 and 45. Are you saying that you reproduced the > original bug in 46? I reproduced the initial issue using the firefox asan build specified by the reporter (https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/). In order to verify an issue I initially have to reproduce it using the affected build mentioned in Description and only after that to test it on latest versions. So, as I specified in Comment 20, this issue is no longer reproducible on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832).
You need to log in before you can comment on or make changes to this bug.