Closed Bug 1243832 Opened 8 years ago Closed 8 years ago

graphite2: crash around null in [@graphite2::Slot::setGlyph]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- fixed
firefox46 --- fixed
firefox47 --- fixed
firefox-esr38 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [sg:dos])

Attachments

(2 files)

Attached file test_case.ttf
This was found while fuzzing graphite2 1.3.4

Not sure if this is a security issue please indicate if it should be opened.

==41091==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f3a575dc5c5 bp 0x7ffd5f7de600 sp 0x7ffd5f7de5b0 T0)
    #0 0x7f3a575dc5c4 in graphite2::Slot::setGlyph(graphite2::Segment*, unsigned short, graphite2::GlyphFace const*) /home/user/code/graphite/src/Slot.cpp:449:15
    #1 0x7f3a57556f1d in (anonymous namespace)::direct_run(bool, void* const*, unsigned char const*, int*, graphite2::Slot**&, unsigned char, graphite2::SlotMap*) /home/user/code/graphite/src/inc/opcodes.h:599:9
    #2 0x7f3a575585a3 in graphite2::vm::Machine::run(void* const*, unsigned char const*, graphite2::Slot**&) /home/user/code/graphite/src/direct_machine.cpp:114:17
    #3 0x7f3a57571b17 in graphite2::vm::Machine::Code::run(graphite2::vm::Machine&, graphite2::Slot**&) const /home/user/code/graphite/src/Code.cpp:731:13
    #4 0x7f3a575b7c9f in graphite2::Pass::doAction(graphite2::vm::Machine::Code const*, graphite2::Slot*&, graphite2::vm::Machine&) const /home/user/code/graphite/src/Pass.cpp:665:17
    #5 0x7f3a575b7c9f in graphite2::Pass::findNDoRule(graphite2::Slot*&, graphite2::vm::Machine&, graphite2::FiniteStateMachine&) const /home/user/code/graphite/src/Pass.cpp:535
    #6 0x7f3a575b6296 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const /home/user/code/graphite/src/Pass.cpp:410:13
    #7 0x7f3a575d1c4a in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const /home/user/code/graphite/src/Silf.cpp:423:21
    #8 0x7f3a5759035b in graphite2::Face::runGraphite(graphite2::Segment*, graphite2::Silf const*) const /home/user/code/graphite/src/Face.cpp:180:16
    #9 0x7f3a5755fccd in graphite2::Segment::runGraphite() /home/user/code/graphite/src/inc/Segment.h:97:45
    #10 0x7f3a5755fccd in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) /home/user/code/graphite/src/gr_segment.cpp:46
    #11 0x7f3a5755fccd in gr_make_seg /home/user/code/graphite/src/gr_segment.cpp:105
    #12 0x4e76e3 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:680:20
    #13 0x4e8845 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:782:9
    #14 0x7f3a571a4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #15 0x41a545 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a545)
Attached file gr2_test_string.txt
Group: gfx-core-security
Whiteboard: [sg:dos]
fixed upstream
This issue is reproducible in latest revision (df41ce06dda5962b9ff1c8c3175af00005d5fc0f)
Flags: needinfo?(martin_hosken)
OK Identified the test string that makes this fail. Fixed? upstream in aed0effc27edfb9da441dce3c77f5a1a3fd9f7db. Previously had assumed it was picked up by another fix because the particular test string wasn't failing. Sorry about that.
Flags: needinfo?(martin_hosken)
No problem, thanks for the fix Martin.

Verified with revision aed0effc27edfb9da441dce3c77f5a1a3fd9f7db
Well security researchers have to blow their own trumpets even if it means finding bugs in old code! Graphite is such a joy to fuzz!
Status: NEW → RESOLVED
Closed: 8 years ago
Depends on: 1252311
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.