Closed Bug 1243464 (CVE-2016-2790) Opened 4 years ago Closed 4 years ago

Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo]

Categories

(Core :: Graphics: Text, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- fixed
firefox46 --- fixed
firefox47 --- fixed
firefox-esr38 --- fixed
firefox-esr45 45+ ---

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-moderate, testcase, Whiteboard: [adv-main45+][adv-esr38.7+])

Attachments

(2 files)

Attached file test_case.ttf
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)

Conditional jump or move depends on uninitialised value(s)
   at 0x4E69D01: graphite2::TtfUtil::GetTableInfo(graphite2::TtfUtil::Tag, void const*, void const*, unsigned long&, unsigned long&) (TtfUtil.cpp:213)
   by 0x4E6B578: graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) (FileFace.cpp:83)
   by 0x4E511FD: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:281)
   by 0x4E3E741: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:49)
   by 0x4E3E92B: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x4E3EF12: gr_make_file_face (gr_face.cpp:242)
   by 0x404CE4: Gr2Face::Gr2Face(char const*, std::string const&, bool) (Gr2Renderer.h:37)
   by 0x40359F: main (CompareRenderer.cpp:324)
On testing, this font is rejected by graphite. Is this a 32-bit issue?
Flags: needinfo?(twsmith)
Attached file test_string.txt
This was found using a 64-bit build of graphite running under valgrind.

The command I ran was:
$ valgrind -q ./comparerenderer -n -f test_case.ttf -t test_string.txt -s 12
Flags: needinfo?(twsmith)
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Verified with graphite revision aed0effc27edfb9da441dce3c77f5a1a3fd9f7db
Status: NEW → RESOLVED
Closed: 4 years ago
Depends on: 1252311
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+]
Group: gfx-core-security → core-security-release
Alias: CVE-2016-2790
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.