Bug 1243473 (CVE-2016-2791)

graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph]

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks 1 bug, {csectype-bounds, sec-high, testcase})

unspecified
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45+ fixed, firefox46+ fixed, firefox47+ fixed, firefox-esr3845+ fixed)

Details

(Whiteboard: [adv-main45+][adv-esr38.7+])

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
Posted file call_stack.txt
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)
(Reporter)

Comment 1

3 years ago
Posted file test_case.ttf

Comment 2

3 years ago
What is the test string for this: "Whereas" seems to render correctly.
Flags: needinfo?(twsmith)
(Reporter)

Comment 3

3 years ago
Posted file test_string.txt
Flags: needinfo?(twsmith)
Keywords: sec-high

Comment 4

3 years ago
fixed upstream in e569e28d83491fedb31b9220493f3c07f6ec6d80
(Reporter)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

3 years ago
Verified with e569e28d83491fedb31b9220493f3c07f6ec6d80
Status: RESOLVED → VERIFIED
(Reporter)

Updated

3 years ago
See Also: → 1243843
(Reporter)

Updated

3 years ago
See Also: → 1243839
Group: gfx-core-security → core-security-release
Tyson: what mozilla-central commit (or bug) fixed this crash? If you're testing the upstream changeset it's good to validate the patch, but it's not yet fixed in Mozilla. Once we know the relevant commit (which might be a "upgrade graphite2 to cset xxxxx" bug) then we can check to make sure that landed in all the branches we need it to land in.
Flags: needinfo?(twsmith)
(Reporter)

Comment 7

3 years ago
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Tyson: what mozilla-central commit (or bug) fixed this crash? If you're
> testing the upstream changeset it's good to validate the patch, but it's not
> yet fixed in Mozilla. Once we know the relevant commit (which might be a
> "upgrade graphite2 to cset xxxxx" bug) then we can check to make sure that
> landed in all the branches we need it to land in.

Oops I don't know what I was thinking there. You are right this still isn't in mozilla-central
Status: VERIFIED → REOPENED
Flags: needinfo?(twsmith)
Resolution: FIXED → ---
(Reporter)

Updated

3 years ago
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Depends on: 1252311
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+]
Alias: CVE-2016-2791
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.