Closed
Bug 1243513
(CVE-2016-2793)
Opened 9 years ago
Closed 9 years ago
graphite2: heap-buffer-overflow read in CachedCmap.cpp
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, sec-high, testcase, Whiteboard: [adv-main45+][adv-esr38.7+])
Attachments
(3 files, 1 obsolete file)
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4) ==62151==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00001b400 at pc 0x7f19df55deb5 bp 0x7ffde144d6f0 sp 0x7ffde144d6e8 READ of size 8 at 0x62d00001b400 thread T0 #0 0x7f19df55deb4 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable12NextCodepoint, &graphite2::TtfUtil::CmapSubtable12Lookup>(unsigned short**, void const*, unsigned int) /home/user/code/graphite/src/CmapCache.cpp:70:14 #1 0x7f19df55deb4 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) /home/user/code/graphite/src/CmapCache.cpp:101 #2 0x7f19df587f65 in graphite2::Face::readGlyphs(unsigned int) /home/user/code/graphite/src/Face.cpp:108:22 #3 0x7f19df553667 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /home/user/code/graphite/src/gr_face.cpp:54:14 #4 0x7f19df554cf9 in gr_make_face_with_ops /home/user/code/graphite/src/gr_face.cpp:89:16 #5 0x7f19df554cf9 in gr_make_file_face /home/user/code/graphite/src/gr_face.cpp:242 #6 0x4e6c09 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:629:20 #7 0x4e87bc in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:781:12 #8 0x7f19df19dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #9 0x41a545 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a545)
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Reporter | ||
Comment 4•9 years ago
|
||
This issue is reproducible in latest revision (e569e28d83491fedb31b9220493f3c07f6ec6d80)
Flags: needinfo?(martin_hosken)
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
Reporter | ||
Comment 6•9 years ago
|
||
This issue is reproducible in latest revision (df41ce06dda5962b9ff1c8c3175af00005d5fc0f)
Attachment #8712829 -
Attachment is obsolete: true
Flags: needinfo?(martin_hosken)
Reporter | ||
Comment 7•9 years ago
|
||
Verified with graphite revision c8450dbaa160be5c939d9abb5cfe01284e22b45f
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
Reporter | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox-esr38:
--- → fixed
Depends on: 1252311
Resolution: --- → FIXED
Updated•9 years ago
|
tracking-firefox-esr38:
--- → 45+
Whiteboard: [adv-main45+][adv-esr38.7+]
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Updated•9 years ago
|
Alias: CVE-2016-2793
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•