Bug 1243816 (CVE-2016-2796)

graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

unspecified
crash, csectype-bounds, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45+ fixed, firefox46+ fixed, firefox47+ fixed, firefox-esr3845+ fixed)

Details

(Whiteboard: [adv-main45+][adv-esr38.7+])

Attachments

(3 attachments, 1 obsolete attachment)

5.48 KB, text/plain
Details
45.37 KB, application/x-font-ttf
Details
563 bytes, text/plain
Details
(Reporter)

Description

3 years ago
This was found while fuzzing graphite2 1.3.5 (and is in 1.3.4)

This is likely sec-critical.
(Reporter)

Updated

3 years ago
Keywords: sec-critical
(Reporter)

Comment 1

3 years ago
Posted file call_stack.txt
(Reporter)

Comment 2

3 years ago
Posted file test_case.ttf (obsolete) —
(Reporter)

Comment 3

3 years ago
Posted file test_case.ttf
Attachment #8713254 - Attachment is obsolete: true
(Reporter)

Comment 4

3 years ago
Posted file gr2_test_string.txt
Tracking since this likely affects all channels including esr38 and it's sec-critical.
status-firefox45: --- → affected
status-firefox46: --- → affected
status-firefox47: --- → affected
status-firefox-esr38: --- → affected
tracking-firefox45: --- → +
tracking-firefox46: --- → +
tracking-firefox47: --- → +
tracking-firefox-esr38: --- → ?
Flags: needinfo?(jfkthame)
There's a patch in bug 1243843 (awaiting testing) that may well fix this.
Flags: needinfo?(jfkthame)

Comment 7

3 years ago
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Does that mean we can close this bug? Tyson can you or someone else verify this is fixed?
Flags: needinfo?(twsmith)
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #8)
> Does that mean we can close this bug? Tyson can you or someone else verify
> this is fixed?

I believe so based on Martin's comment, but would appreciate having it verified on our latest builds.
(Reporter)

Comment 10

3 years ago
This crash is still reproducible with the latest fixes (e569e28d83491fedb31b9220493f3c07f6ec6d80)
Flags: needinfo?(twsmith)
Martin, can you look into this again, please?
Flags: needinfo?(martin_hosken)

Comment 12

3 years ago
I have a potential fix, needs review internally. Should be fixed in 24hrs. This bug would be hard to make anything of.

Comment 13

3 years ago
This and all friends fixed upstream. Sorry, I forgot to do asan testing last time around :( This time they all run asan clean on 64bit.

Comment 14

3 years ago
Fixed upstream in 703cbd0c5bd23f39ff24d5d2a525b18658cdb59a

Updated

3 years ago
Flags: needinfo?(martin_hosken)
(Reporter)

Updated

3 years ago
Blocks: 1249081
(Reporter)

Updated

3 years ago
No longer blocks: 1249081
(Reporter)

Comment 15

3 years ago
Verified with graphite revision c8450dbaa160be5c939d9abb5cfe01284e22b45f
(Reporter)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox45: affected → fixed
status-firefox46: affected → fixed
status-firefox47: affected → fixed
status-firefox-esr38: affected → fixed
Depends on: 1252311
Resolution: --- → FIXED
tracking-firefox-esr38: ? → 45+
Whiteboard: [adv-main45+][adv-esr38.7+]
Group: gfx-core-security → core-security-release
Alias: CVE-2016-2796
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.