Closed Bug 1242322 (CVE-2016-1969) Opened 7 years ago Closed 7 years ago

Crash - Out of Bounds Write in Graphite setAttr Function

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Version:
46 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox44 - wontfix
firefox45 + verified
firefox46 + verified
firefox47 + verified
firefox-esr38 44+ verified

People

(Reporter: temp66, Unassigned)

References

Details

(Keywords: csectype-bounds, sec-critical, Whiteboard: [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093)

Attachments

(3 files)

asan_stack_trace.txt
22.80 KB, text/plain
Details
Font file test case
32.76 KB, application/x-font-ttf
Details
HTML file with content that triggers crash
177 bytes, text/html
Details
Attached file asan_stack_trace.txt — 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160106234723

Steps to reproduce:

Loaded a page that used a malicious/corrupt Graphite font file.
The ASAN build of firefox 46.0a1, downloaded from https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/ was used.


Actual results:

The tab crashed with ASAN reporting an out of bounds write on the heap.
See the attached stack trace.


Expected results:

No crash.
Attached file Font file test case — 

    
    

    
  


  
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Product: Firefox → Core
Flags: sec-bounty?
Component: Graphics → Graphics: Text

    
    

    
  
Tyson was able to reproduce using ASAN. This testcase doesn't crash without ASAN but that doesn't mean there's not a problem.
Group: core-security → gfx-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-critical

    
    

    
  
Martin, here's a naughty font for you...
Flags: needinfo?(martin_hosken)

    
    

    
  
Jonathan (or anyone) can you also check to see if this also affects 45?
Flags: needinfo?(jfkthame)

    
    

    
  
Tyson, can you look into comment 5 for us, please?
Flags: needinfo?(jfkthame) → needinfo?(twsmith)

    
    

    
  
Martin, can you confirm if this one is fixed upstream? Which rev?

    
    

    
  
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Flags: needinfo?(martin_hosken)

    
    

    
  
I was unable to reproduce this issue on 45.
Flags: needinfo?(twsmith)

    
    

    
  
(In reply to martin_hosken from comment #8)
> fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829

For anybody who is curious, the full link seems to be:
https://github.com/silnrsi/graphite/commit/a8b3ac2aed0eb132cd80efe7de88f8153e73c829

    
    

    
  
(In reply to Jonathan Kew (:jfkthame) from comment #12)
> I believe this should be fixed in the latest inbound/aurora/beta builds.
> Could you confirm whether it can still be reproduced with any of these --
> thanks.
> 
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-
> linux64-asan/1455125082/
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-
> linux64-asan/1455106701/
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-beta-linux64-
> asan/1455107601/

Seems to be fixed. No repro on any of these builds.

    
    

    
  
Marking this as fixed for 45, 46, and 47.  So this may still affect 44?

          status-firefox44:
          --- → ?

          status-firefox45:
          ?fixed

          status-firefox46:
          affectedfixed

          status-firefox47:
          affectedfixed

          tracking-firefox44:
          --- → ?

          tracking-firefox45:
          --- → +

    
    

    
  
I'm marking this fixed because 47 is fixed.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #14)
> Marking this as fixed for 45, 46, and 47.  So this may still affect 44?

I expect so, as 44 is still on graphite 1.3.4.
Flags: sec-bounty? → sec-bounty+
Group: gfx-core-security → core-security-release

    
    

    
  
I'll assume ESR is also affected...

          status-firefox44:
          ?affected

          status-firefox-esr38:
          --- → affected

    
    

    
  
(In reply to Andrew McCreight [:mccr8] from comment #17)
> I'll assume ESR is also affected...

The same fixes landed on ESR38 in bug 1246093.
See Also:  → CVE-2016-2799

          status-firefox44:
          affectedwontfix

          tracking-firefox44:
          ?-

          tracking-firefox-esr38:
          --- → 44+
Depends on: 1243843, CVE-2016-1523
Whiteboard: fixed in 1243843, on ESR in bug 1246093

    
    

    
  
I was able to reproduce this issue on Firefox 46.0a1 asan build (specified in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit.

Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10  	(20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11 and Windows 10 64-bit.
Status: RESOLVED → VERIFIED

          status-firefox45:
          fixedverified

          status-firefox46:
          fixedverified

          status-firefox47:
          fixedverified

          status-firefox-esr38:
          fixedverified

    
    

    
  
(In reply to Vasilica Mihasca, QA [:vasilica_mihasca] from comment #20)
> I was able to reproduce this issue on Firefox 46.0a1 asan build (specified
> in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit.
> 
> Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29),
> Firefox 45 beta 10  	(20160225145837) and Firefox 38.6.1esrpre
> tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11
> and Windows 10 64-bit.

This should be fixed in 46 and 45. Are you saying that you reproduced the original bug in 46?
Flags: needinfo?(vasilica.mihasca)
Whiteboard: fixed in 1243843, on ESR in bug 1246093 → [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093
Alias: CVE-2016-1969

    
    

    
  
(In reply to Al Billings [:abillings] from comment #21)

> This should be fixed in 46 and 45. Are you saying that you reproduced the
> original bug in 46?

I reproduced the initial issue using the firefox asan build specified by the reporter (https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/). 

In order to verify an issue I initially have to reproduce it using the affected build mentioned in Description and only after that to test it on latest versions.

So, as I specified in Comment 20, this issue is no longer reproducible on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832).
Flags: needinfo?(vasilica.mihasca)
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.