Closed
Bug 1243816
(CVE-2016-2796)
Opened 9 years ago
Closed 9 years ago
graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main45+][adv-esr38.7+])
Attachments
(3 files, 1 obsolete file)
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)
This is likely sec-critical.
|
Reporter | |
Updated•9 years ago
|
Keywords: sec-critical
|
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
|
Reporter | |
Comment 3•9 years ago
|
||
Attachment #8713254 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 4•9 years ago
|
||
|
||
Comment 5•9 years ago
|
||
Tracking since this likely affects all channels including esr38 and it's sec-critical.
status-firefox45:
--- → affected
status-firefox46:
--- → affected
status-firefox47:
--- → affected
status-firefox-esr38:
--- → affected
tracking-firefox45:
--- → +
tracking-firefox46:
--- → +
tracking-firefox47:
--- → +
tracking-firefox-esr38:
--- → ?
Flags: needinfo?(jfkthame)
|
||
Comment 6•9 years ago
|
||
There's a patch in bug 1243843 (awaiting testing) that may well fix this.
Flags: needinfo?(jfkthame)
|
||
Comment 7•9 years ago
|
||
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
|
|
||
Comment 8•9 years ago
|
||
Does that mean we can close this bug? Tyson can you or someone else verify this is fixed?
Flags: needinfo?(twsmith)
|
|
||
Comment 9•9 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #8)
> Does that mean we can close this bug? Tyson can you or someone else verify
> this is fixed?
I believe so based on Martin's comment, but would appreciate having it verified on our latest builds.
|
|
Reporter | |
Comment 10•9 years ago
|
||
This crash is still reproducible with the latest fixes (e569e28d83491fedb31b9220493f3c07f6ec6d80)
Flags: needinfo?(twsmith)
|
|
||
Comment 11•9 years ago
|
||
Martin, can you look into this again, please?
Flags: needinfo?(martin_hosken)
|
|
||
Comment 12•9 years ago
|
||
I have a potential fix, needs review internally. Should be fixed in 24hrs. This bug would be hard to make anything of.
|
|
||
Comment 13•9 years ago
|
||
This and all friends fixed upstream. Sorry, I forgot to do asan testing last time around :( This time they all run asan clean on 64bit.
|
|
||
Comment 14•9 years ago
|
||
Fixed upstream in 703cbd0c5bd23f39ff24d5d2a525b18658cdb59a
|
|
||
Updated•9 years ago
|
Flags: needinfo?(martin_hosken)
|
|
Reporter | |
Updated•9 years ago
|
Blocks: CVE-2016-2799
|
|
Reporter | |
Updated•9 years ago
|
No longer blocks: CVE-2016-2799
|
|
Reporter | |
Comment 15•9 years ago
|
||
Verified with graphite revision c8450dbaa160be5c939d9abb5cfe01284e22b45f
|
|
Reporter | |
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Whiteboard: [adv-main45+][adv-esr38.7+]
|
||
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Updated•9 years ago
|
Alias: CVE-2016-2796
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•