Closed
Bug 1243839
Opened 8 years ago
Closed 8 years ago
graphite2: stack-overflow in [@graphite2::Slot::floodShift] Slot.cpp:480
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main45-][adv-esr38.7-])
Attachments
(3 files)
Found in graphite2 1.3.4 ==12290==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc94ad9fe0 (pc 0x7fec8878cedd bp 0x7ffc94ada020 sp 0x7ffc94ad9fe0 T0) #0 0x7fec8878cedc in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:480 #1 0x7fec8878cfbf in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:482:18 ... #251 0x7f31b02a6fbf in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:482:18
Reporter | ||
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Reporter | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•8 years ago
|
See Also: → CVE-2016-2791
Reporter | ||
Comment 3•8 years ago
|
||
Tested with e569e28d83491fedb31b9220493f3c07f6ec6d80
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Reporter | ||
Comment 4•8 years ago
|
||
This is fixed upstream but not in mozilla-central. I got a bit to excited and marked it as fixed.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Summary: graphite2: stack-overflow in [@graphite2::Slot::floodShift] → graphite2: stack-overflow in [@graphite2::Slot::floodShift] Slot.cpp:480
Reporter | ||
Updated•8 years ago
|
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
status-firefox45:
--- → fixed
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox-esr38:
--- → fixed
Depends on: 1252311
Resolution: --- → FIXED
Updated•8 years ago
|
tracking-firefox-esr38:
--- → 45+
Whiteboard: [adv-main45+][adv-esr38.7+]
Comment 5•8 years ago
|
||
This is an automated crash issue comment: Summary: Crash [@ __sanitizer::DTLS_on_tls_get_addr] Build version: graphite2 revision bc5409c573aa9ecccacd18cf713021272998cd35 Testcase: See attachment. Backtrace: ==5300==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd4441dff8 (pc 0x0000004ce480 bp 0x7fc167c26fc0 sp 0x7ffd4441e000 T0) #0 0x4ce47f in __sanitizer::DTLS_on_tls_get_addr(void*, void*, unsigned long, unsigned long) /home/user/Desktop/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.cc:82 #1 0x42c08a in __tls_get_addr /home/user/Desktop/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4096 #2 0x7fc167a04c38 in graphite2::Position::operator+=(graphite2::Position const&) src/inc/Position.h:39:56 #3 0x7fc167a04c38 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:495 #4 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18 #5 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18 #6 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18 [...] #252 0x7fc167a04d27 in graphite2::Slot::floodShift(graphite2::Position) src/Slot.cpp:496:18
Comment 6•8 years ago
|
||
Comment 7•8 years ago
|
||
This doesn't seem to be fixed per previous comments, reopening. Also we can probably unhide this bug. Stack overflows and (near) null derefs typically don't need s-s.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 8•8 years ago
|
||
Nevermind, bug 1252724 is filed with the same signature now, just not linked appropriately.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Whiteboard: [adv-main45+][adv-esr38.7+] → [adv-main45-][adv-esr38.7-]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•