graphite2: stack-overflow in [@graphite2::Slot::floodShift] Slot.cpp:486

RESOLVED FIXED

Status

()

Core
Graphics: Text
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

unspecified
crash, csectype-dos, sec-low, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 fixed, firefox46 fixed, firefox47 fixed, firefox-esr38 fixed, firefox-esr4545+)

Details

(Whiteboard: [adv-main45-][adv-esr38.7-])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8721689 [details]
test_case.ttf

Found in graphite2 revision 2c04f1eda80803d75ff94e53e67c64f108af6d06

==33110==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcab510ff8 (pc 0x7f8463aec57c bp 0x00000071ace0 sp 0x7ffcab511000 T0)
    #0 0x7f8463aec57b in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:486:18
    #1 0x7f8463aec580 in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:486:18
    ...
    #251 0x7f8463aec580 in graphite2::Slot::floodShift(graphite2::Position) /home/user/code/graphite/src/Slot.cpp:486:18
(Reporter)

Comment 1

2 years ago
Created attachment 8721690 [details]
test_string.txt

Comment 2

2 years ago
Fixed? upstream in c00e3f7d3741ac5f9a4706e8097320f8a60f4ea8
(Reporter)

Comment 3

2 years ago
Verified with graphite revision 2b7f42152ec779c6f96ea744d83a7b7a6912473b. Thanks Martin.
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox45: --- → fixed
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox-esr38: --- → fixed
Depends on: 1252311
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release

Updated

2 years ago
tracking-firefox-esr45: --- → 45+
Whiteboard: [adv-main45+][adv-esr38.7+]

Updated

2 years ago
Whiteboard: [adv-main45+][adv-esr38.7+] → [adv-main45-][adv-esr38.7-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.