Closed Bug 1243473 (CVE-2016-2791) Opened 8 years ago Closed 8 years ago

graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 + fixed
firefox46 + fixed
firefox47 + fixed
firefox-esr38 45+ fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-bounds, sec-high, testcase, Whiteboard: [adv-main45+][adv-esr38.7+])

Attachments

(3 files)

call_stack.txt
5.39 KB, text/plain
Details
test_case.ttf
57.44 KB, application/x-font-ttf
Details
test_string.txt
548 bytes, text/plain
Details
Attached file call_stack.txt 
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)
Attached file test_case.ttf 

    
    

    
  
What is the test string for this: "Whereas" seems to render correctly.
Flags: needinfo?(twsmith)

    
    

    
  

      
      
      
      

        Attached file
          
        test_string.txt
      

    


  
Flags: needinfo?(twsmith)
Keywords: sec-high

    
    

    
  
fixed upstream in e569e28d83491fedb31b9220493f3c07f6ec6d80

    
  
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

    
    

    
  
Verified with e569e28d83491fedb31b9220493f3c07f6ec6d80
Status: RESOLVED → VERIFIED

    
  
See Also:  → 1243843

    
  
See Also:  → 1243839
Group: gfx-core-security → core-security-release

    
    

    
  
Tyson: what mozilla-central commit (or bug) fixed this crash? If you're testing the upstream changeset it's good to validate the patch, but it's not yet fixed in Mozilla. Once we know the relevant commit (which might be a "upgrade graphite2 to cset xxxxx" bug) then we can check to make sure that landed in all the branches we need it to land in.

          status-firefox45:
          --- → affected

          status-firefox46:
          --- → affected

          status-firefox47:
          --- → ?

          status-firefox-esr38:
          --- → affected
Flags: needinfo?(twsmith)

    
    

    
  
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Tyson: what mozilla-central commit (or bug) fixed this crash? If you're
> testing the upstream changeset it's good to validate the patch, but it's not
> yet fixed in Mozilla. Once we know the relevant commit (which might be a
> "upgrade graphite2 to cset xxxxx" bug) then we can check to make sure that
> landed in all the branches we need it to land in.

Oops I don't know what I was thinking there. You are right this still isn't in mozilla-central
Status: VERIFIED → REOPENED
Flags: needinfo?(twsmith)
Resolution: FIXED → ---

    
  
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago

          status-firefox45:
          affectedfixed

          status-firefox46:
          affectedfixed

          status-firefox47:
          ?fixed

          status-firefox-esr38:
          affectedfixed
Depends on: 1252311
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+]
Alias: CVE-2016-2791
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: