Closed Bug 1243839 Opened 8 years ago Closed 8 years ago

graphite2: stack-overflow in [@graphite2::Slot::floodShift] Slot.cpp:480

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- fixed
firefox46 --- fixed
firefox47 --- fixed
firefox-esr38 45+ fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main45-][adv-esr38.7-])

Attachments

(3 files)

Attached file test_case.ttf
Found in graphite2 1.3.4

==12290==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc94ad9fe0 (pc 0x7fec8878cedd bp 0x7ffc94ada020 sp 0x7ffc94ad9fe0 T0)
    #0 0x7fec8878cedc in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:480
    #1 0x7fec8878cfbf in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:482:18
    ...
    #251 0x7f31b02a6fbf in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:482:18
Attached file test_string.txt
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
See Also: → CVE-2016-2791
Tested with e569e28d83491fedb31b9220493f3c07f6ec6d80
Status: RESOLVED → VERIFIED
Group: gfx-core-security → core-security-release
This is fixed upstream but not in mozilla-central. I got a bit to excited and marked it as fixed.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Summary: graphite2: stack-overflow in [@graphite2::Slot::floodShift] → graphite2: stack-overflow in [@graphite2::Slot::floodShift] Slot.cpp:480
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Depends on: 1252311
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+]
This is an automated crash issue comment:

Summary: Crash [@ __sanitizer::DTLS_on_tls_get_addr]
Build version: graphite2 revision bc5409c573aa9ecccacd18cf713021272998cd35
Testcase: See attachment.

Backtrace:

==5300==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd4441dff8 (pc 0x0000004ce480 bp 0x7fc167c26fc0 sp 0x7ffd4441e000 T0)
    #0 0x4ce47f in __sanitizer::DTLS_on_tls_get_addr(void*, void*, unsigned long, unsigned long) /home/user/Desktop/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.cc:82
    #1 0x42c08a in __tls_get_addr /home/user/Desktop/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4096
    #2 0x7fc167a04c38 in graphite2::Position::operator+=(graphite2::Position const&) src/inc/Position.h:39:56
    #3 0x7fc167a04c38 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:495
    #4 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18
    #5 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18
    #6 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18
  [...]
    #252 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18
This doesn't seem to be fixed per previous comments, reopening.

Also we can probably unhide this bug. Stack overflows and (near) null derefs typically don't need s-s.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Nevermind, bug 1252724 is filed with the same signature now, just not linked appropriately.
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Whiteboard: [adv-main45+][adv-esr38.7+] → [adv-main45-][adv-esr38.7-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.