Closed
Bug 1243482
(CVE-2016-2792)
Opened 9 years ago
Closed 9 years ago
graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, sec-high, testcase, Whiteboard: [adv-main45+][adv-esr38.7+])
Attachments
(3 files, 2 obsolete files)
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
What is the test string for this: "Whereas" seems to render correctly.
Flags: needinfo?(twsmith)
Reporter | ||
Comment 3•9 years ago
|
||
Flags: needinfo?(twsmith)
Comment 4•9 years ago
|
||
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Reporter | ||
Comment 5•9 years ago
|
||
This issue is reproducible in latest revision (e569e28d83491fedb31b9220493f3c07f6ec6d80)
Flags: needinfo?(martin_hosken)
Reporter | ||
Comment 6•9 years ago
|
||
Attachment #8712796 -
Attachment is obsolete: true
Reporter | ||
Comment 7•9 years ago
|
||
Attachment #8712795 -
Attachment is obsolete: true
Comment 8•9 years ago
|
||
fixed upstream in a8f9210571f5339d55c7fd4524acb64ce5ca8fd8
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
Reporter | ||
Comment 9•9 years ago
|
||
This issue is reproducible in the latest revision (df41ce06dda5962b9ff1c8c3175af00005d5fc0f)
Flags: needinfo?(martin_hosken)
Comment 10•9 years ago
|
||
Sorry. Didn't notice the new test_case.ttf that was introduced before my last claim to have fixed it. Is this new test_case effectively a new bug? Anyway fixed? in latest upstream and I think in 234c9634b76d31a597e048aa8596996dbdc85165
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
Reporter | ||
Updated•9 years ago
|
Summary: graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] → graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232
Reporter | ||
Updated•9 years ago
|
See Also: → CVE-2016-2800
Reporter | ||
Comment 11•9 years ago
|
||
Verified existing test cases with aed0effc27edfb9da441dce3c77f5a1a3fd9f7db.
I found a crash with a matching stack trace and logged it a bug 1249338.
Reporter | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox-esr38:
--- → fixed
Depends on: 1252311
Resolution: --- → FIXED
Updated•9 years ago
|
tracking-firefox-esr45:
--- → 45+
Whiteboard: [adv-main45+][adv-esr38.7+]
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Updated•9 years ago
|
Alias: CVE-2016-2792
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•