graphite2: heap-buffer-overflow read in [@cache_subtable<graphite2::TtfUtil::CmapSubtable4NextCodepoint, graphite2::TtfUtil::CmapSubtable4Lookup>]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, {csectype-bounds, sec-moderate, testcase})

unspecified
csectype-bounds, sec-moderate, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 disabled, firefox46 fixed, firefox47 fixed, firefox48 fixed, firefox-esr3846+ disabled, firefox-esr4546+ disabled)

Details

(Whiteboard: [gfx-noted])

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
Created attachment 8724809 [details]
call_stack.txt

This was found while fuzzing graphite2 revision fb32e2e39ccd0980672f55052f75fc10f8736fb2
(Reporter)

Comment 1

3 years ago
Created attachment 8724810 [details]
test_case.ttf
(Reporter)

Comment 2

3 years ago
Created attachment 8724811 [details]
test_string.txt
(Reporter)

Comment 3

3 years ago
Fixed with patch from bug 1248876
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox45: --- → fixed
status-firefox46: --- → fixed
status-firefox47: --- → fixed
Depends on: 1252311
Resolution: --- → FIXED
(Reporter)

Comment 4

3 years ago
Sigh... wrong bug. Sorry.
Status: RESOLVED → REOPENED
status-firefox45: fixed → ---
status-firefox46: fixed → ---
status-firefox47: fixed → ---
No longer depends on: 1252311
Resolution: FIXED → ---

Comment 5

3 years ago
Fixed? in 92e0add6083b2e360e30854cbfceedecaac0d3ad
(Reporter)

Comment 6

3 years ago
Verified with graphite revision 92e0add6083b2e360e30854cbfceedecaac0d3ad
Keywords: sec-moderate
Whiteboard: [gfx-noted]
(Reporter)

Updated

3 years ago
Depends on: 1255158
(Reporter)

Updated

3 years ago
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated on all affected branches including ESRs.
status-firefox45: --- → wontfix
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → fixed
status-firefox-esr45: --- → fixed
tracking-firefox-esr38: --- → 46+
tracking-firefox-esr45: --- → 46+
status-firefox45: wontfix → disabled
status-firefox-esr38: fixed → disabled
status-firefox-esr45: fixed → disabled
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.