Closed Bug 1243816 (CVE-2016-2796) Opened 6 years ago Closed 6 years ago

graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code]


(Core :: Graphics: Text, defect)

Not set



Tracking Status
firefox45 + fixed
firefox46 + fixed
firefox47 + fixed
firefox-esr38 45+ fixed


(Reporter: tsmith, Unassigned)


(Blocks 1 open bug)


(4 keywords, Whiteboard: [adv-main45+][adv-esr38.7+])


(3 files, 1 obsolete file)

This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)

This is likely sec-critical.
Keywords: sec-critical
Attached file call_stack.txt
Attached file test_case.ttf (obsolete) —
Attached file test_case.ttf
Attachment #8713254 - Attachment is obsolete: true
Attached file gr2_test_string.txt
Tracking since this likely affects all channels including esr38 and it's sec-critical.
There's a patch in bug 1243843 (awaiting testing) that may well fix this.
Flags: needinfo?(jfkthame)
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Does that mean we can close this bug? Tyson can you or someone else verify this is fixed?
Flags: needinfo?(twsmith)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #8)
> Does that mean we can close this bug? Tyson can you or someone else verify
> this is fixed?

I believe so based on Martin's comment, but would appreciate having it verified on our latest builds.
This crash is still reproducible with the latest fixes (e569e28d83491fedb31b9220493f3c07f6ec6d80)
Flags: needinfo?(twsmith)
Martin, can you look into this again, please?
Flags: needinfo?(martin_hosken)
I have a potential fix, needs review internally. Should be fixed in 24hrs. This bug would be hard to make anything of.
This and all friends fixed upstream. Sorry, I forgot to do asan testing last time around :( This time they all run asan clean on 64bit.
Fixed upstream in 703cbd0c5bd23f39ff24d5d2a525b18658cdb59a
Flags: needinfo?(martin_hosken)
No longer blocks: CVE-2016-2799
Verified with graphite revision c8450dbaa160be5c939d9abb5cfe01284e22b45f
Closed: 6 years ago
Depends on: 1252311
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+]
Group: gfx-core-security → core-security-release
Alias: CVE-2016-2796
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.