Closed
Bug 1243832
Opened 8 years ago
Closed 8 years ago
graphite2: crash around null in [@graphite2::Slot::setGlyph]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [sg:dos])
Attachments
(2 files)
This was found while fuzzing graphite2 1.3.4 Not sure if this is a security issue please indicate if it should be opened. ==41091==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f3a575dc5c5 bp 0x7ffd5f7de600 sp 0x7ffd5f7de5b0 T0) #0 0x7f3a575dc5c4 in graphite2::Slot::setGlyph(graphite2::Segment*, unsigned short, graphite2::GlyphFace const*) /home/user/code/graphite/src/Slot.cpp:449:15 #1 0x7f3a57556f1d in (anonymous namespace)::direct_run(bool, void* const*, unsigned char const*, int*, graphite2::Slot**&, unsigned char, graphite2::SlotMap*) /home/user/code/graphite/src/inc/opcodes.h:599:9 #2 0x7f3a575585a3 in graphite2::vm::Machine::run(void* const*, unsigned char const*, graphite2::Slot**&) /home/user/code/graphite/src/direct_machine.cpp:114:17 #3 0x7f3a57571b17 in graphite2::vm::Machine::Code::run(graphite2::vm::Machine&, graphite2::Slot**&) const /home/user/code/graphite/src/Code.cpp:731:13 #4 0x7f3a575b7c9f in graphite2::Pass::doAction(graphite2::vm::Machine::Code const*, graphite2::Slot*&, graphite2::vm::Machine&) const /home/user/code/graphite/src/Pass.cpp:665:17 #5 0x7f3a575b7c9f in graphite2::Pass::findNDoRule(graphite2::Slot*&, graphite2::vm::Machine&, graphite2::FiniteStateMachine&) const /home/user/code/graphite/src/Pass.cpp:535 #6 0x7f3a575b6296 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const /home/user/code/graphite/src/Pass.cpp:410:13 #7 0x7f3a575d1c4a in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const /home/user/code/graphite/src/Silf.cpp:423:21 #8 0x7f3a5759035b in graphite2::Face::runGraphite(graphite2::Segment*, graphite2::Silf const*) const /home/user/code/graphite/src/Face.cpp:180:16 #9 0x7f3a5755fccd in graphite2::Segment::runGraphite() /home/user/code/graphite/src/inc/Segment.h:97:45 #10 0x7f3a5755fccd in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) /home/user/code/graphite/src/gr_segment.cpp:46 #11 0x7f3a5755fccd in gr_make_seg /home/user/code/graphite/src/gr_segment.cpp:105 #12 0x4e76e3 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:680:20 #13 0x4e8845 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:782:9 #14 0x7f3a571a4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #15 0x41a545 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a545)
Reporter | ||
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Group: gfx-core-security
Whiteboard: [sg:dos]
Comment 2•8 years ago
|
||
fixed upstream
Reporter | ||
Comment 3•8 years ago
|
||
This issue is reproducible in latest revision (df41ce06dda5962b9ff1c8c3175af00005d5fc0f)
Flags: needinfo?(martin_hosken)
Comment 4•8 years ago
|
||
OK Identified the test string that makes this fail. Fixed? upstream in aed0effc27edfb9da441dce3c77f5a1a3fd9f7db. Previously had assumed it was picked up by another fix because the particular test string wasn't failing. Sorry about that.
Updated•8 years ago
|
Flags: needinfo?(martin_hosken)
Reporter | ||
Comment 5•8 years ago
|
||
No problem, thanks for the fix Martin. Verified with revision aed0effc27edfb9da441dce3c77f5a1a3fd9f7db
Comment 6•8 years ago
|
||
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html glad its fixed :)
Comment 7•8 years ago
|
||
Well security researchers have to blow their own trumpets even if it means finding bugs in old code! Graphite is such a joy to fuzz!
Reporter | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox45:
--- → fixed
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox-esr38:
--- → fixed
Depends on: 1252311
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•