Closed Bug 1243473 (CVE-2016-2791) Opened 9 years ago Closed 9 years ago

graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 + fixed
firefox46 + fixed
firefox47 + fixed
firefox-esr38 45+ fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-bounds, sec-high, testcase, Whiteboard: [adv-main45+][adv-esr38.7+])

Attachments

(3 files)

call_stack.txt
5.39 KB, text/plain
Details
test_case.ttf
57.44 KB, application/x-font-ttf
Details
test_string.txt
548 bytes, text/plain
Details
Attached file call_stack.txt
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)
Attached file test_case.ttf
What is the test string for this: "Whereas" seems to render correctly.
Flags: needinfo?(twsmith)
Attached file test_string.txt
Flags: needinfo?(twsmith)
Keywords: sec-high
fixed upstream in e569e28d83491fedb31b9220493f3c07f6ec6d80
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Verified with e569e28d83491fedb31b9220493f3c07f6ec6d80
Status: RESOLVED → VERIFIED
See Also: → 1243843
See Also: → 1243839
Group: gfx-core-security → core-security-release
Tyson: what mozilla-central commit (or bug) fixed this crash? If you're testing the upstream changeset it's good to validate the patch, but it's not yet fixed in Mozilla. Once we know the relevant commit (which might be a "upgrade graphite2 to cset xxxxx" bug) then we can check to make sure that landed in all the branches we need it to land in.
status-firefox45: --- → affected
status-firefox46: --- → affected
status-firefox47: --- → ?
status-firefox-esr38: --- → affected
Flags: needinfo?(twsmith)
(In reply to Daniel Veditz [:dveditz] from comment #6) > Tyson: what mozilla-central commit (or bug) fixed this crash? If you're > testing the upstream changeset it's good to validate the patch, but it's not > yet fixed in Mozilla. Once we know the relevant commit (which might be a > "upgrade graphite2 to cset xxxxx" bug) then we can check to make sure that > landed in all the branches we need it to land in. Oops I don't know what I was thinking there. You are right this still isn't in mozilla-central
Status: VERIFIED → REOPENED
Flags: needinfo?(twsmith)
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
status-firefox45: affectedfixed
status-firefox46: affectedfixed
status-firefox47: ?fixed
status-firefox-esr38: affectedfixed
Depends on: 1252311
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+]
Alias: CVE-2016-2791
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: