Closed Bug 1243464 (CVE-2016-2790) Opened 9 years ago Closed 9 years ago

Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 --- fixed
firefox46 --- fixed
firefox47 --- fixed
firefox-esr38 --- fixed
firefox-esr45 45+ ---

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-moderate, testcase, Whiteboard: [adv-main45+][adv-esr38.7+])

Attachments

(2 files)

test_case.ttf
12 bytes, application/x-font-ttf
Details
test_string.txt
548 bytes, text/plain
Details
Attached file test_case.ttf
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4) Conditional jump or move depends on uninitialised value(s) at 0x4E69D01: graphite2::TtfUtil::GetTableInfo(graphite2::TtfUtil::Tag, void const*, void const*, unsigned long&, unsigned long&) (TtfUtil.cpp:213) by 0x4E6B578: graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) (FileFace.cpp:83) by 0x4E511FD: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:281) by 0x4E3E741: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:49) by 0x4E3E92B: gr_make_face_with_ops (gr_face.cpp:89) by 0x4E3EF12: gr_make_file_face (gr_face.cpp:242) by 0x404CE4: Gr2Face::Gr2Face(char const*, std::string const&, bool) (Gr2Renderer.h:37) by 0x40359F: main (CompareRenderer.cpp:324)
On testing, this font is rejected by graphite. Is this a 32-bit issue?
Flags: needinfo?(twsmith)
Attached file test_string.txt
This was found using a 64-bit build of graphite running under valgrind. The command I ran was: $ valgrind -q ./comparerenderer -n -f test_case.ttf -t test_string.txt -s 12
Flags: needinfo?(twsmith)
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Verified with graphite revision aed0effc27edfb9da441dce3c77f5a1a3fd9f7db
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45: --- → fixed
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox-esr38: --- → fixed
Depends on: 1252311
Resolution: --- → FIXED
tracking-firefox-esr45: --- → 45+
Whiteboard: [adv-main45+][adv-esr38.7+]
Group: gfx-core-security → core-security-release
Alias: CVE-2016-2790
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: