Closed Bug 1251066 Opened 8 years ago Closed 7 years ago

[harfbuzz] Use of uninitialized memory in [@hb_ot_layout_feature_get_lookups]

Categories

(Core :: Graphics: Text, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla48

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-low, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

1.75 KB, application/x-font-ttf
Details
Attached file test_case.ttf
Found while fuzzing harfbuzz revision 23335deaad9d4d9824ff41343264514d3f9f7e37

Run with valgrind to reproduce.

Conditional jump or move depends on uninitialised value(s)
   at 0x44EB04: OT::ArrayOf<OT::Record<OT::Feature>, OT::IntType<unsigned short, 2u> >::operator[](unsigned int) const (hb-open-type-private.hh:837)
   by 0x44A393: OT::RecordListOf<OT::Feature>::operator[](unsigned int) const (hb-ot-layout-common-private.hh:135)
   by 0x43FF92: OT::GSUBGPOS::get_feature(unsigned int) const (hb-ot-layout-gsubgpos-private.hh:2260)
   by 0x435F63: hb_ot_layout_feature_get_lookups (hb-ot-layout.cc:474)
   by 0x45DAA3: hb_ot_map_t::add_lookups(hb_face_t*, unsigned int, unsigned int, unsigned int, bool) (hb-ot-map.cc:54)
   by 0x45E903: hb_ot_map_builder_t::compile(hb_ot_map_t&) (hb-ot-map.cc:283)
   by 0x41BDDB: hb_ot_shape_planner_t::compile(hb_ot_shape_plan_t&) (hb-ot-shape-private.hh:84)
   by 0x419254: _hb_ot_shaper_shape_plan_data_create (hb-ot-shape.cc:178)
   by 0x410CD0: hb_shape_plan_plan(hb_shape_plan_t*, hb_feature_t const*, unsigned int, char const* const*) (hb-shaper-list.hh:43)
   by 0x411064: hb_shape_plan_create (hb-shape-plan.cc:149)
   by 0x411806: hb_shape_plan_create_cached (hb-shape-plan.cc:458)
   by 0x41080E: hb_shape_full (hb-shape.cc:376)
Behdad, could you look into valgrind's complaint with the attached font? Thx.
Flags: needinfo?(mozilla)
Fixed via:
https://github.com/behdad/harfbuzz/commit/731a430cd36caabcef04e099b21ebc6daedd536f

I believe this is not exploitable in any way.
Flags: needinfo?(mozilla)
Keywords: sec-low
Whiteboard: [gfx-noted]
The fix in comment 2 was included in harfbuzz 1.2.4. We updated from version 1.2.2 to 1.2.6 in bug 1251203 for Firefox 48.
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1251203
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.