Closed Bug 1252407 Opened 8 years ago Closed 8 years ago

Heap-buffer-overflow in ConvertWOFF2ToTTF

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Version:
47 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox46 --- unaffected
firefox47 --- verified
firefox-esr38 --- unaffected
firefox-esr45 --- unaffected

People

(Reporter: chamal.desilva, Assigned: jfkthame)

Details

(4 keywords)

Attachments

(4 files)

testfont.html
158 bytes, text/html
Details
corruptFont.woff2
64 bytes, application/octet-stream
Details
call_stack.txt
19.31 KB, text/plain
Details
Update woff2 library to upstream commit 643c7b45891cbeb5dc1f7599a4c9b53fbe82a08f
2.84 KB, patch
fredw
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached file testfont.html 
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

1. Download and save corruptFont.woff2 and testfont.html in same folder.
2. Open Firefox built with address sanitizer and open testfont.html.
3. Sometimes tab does not crash. Please reload the page several times if tab does not crash.


Actual results:

Tab crashed with Heap-buffer-overflow.


Expected results:

Tab should not crash.
Attached file corruptFont.woff2 

    
    

    
  
This bug is fixed in woff2 library with this revision.
https://github.com/google/woff2/commit/d1efde9124f7bef4b0fd82e98f4702651d3095bc
Please merge or update woff2 used by firefox.

* I could not attach a symbolized back-trace to this bug because so far I could not find how to symbolize ASAN trace generated by Firefox.

    
  
Group: firefox-core-security → core-security
Component: Untriaged → Graphics: Text
Product: Firefox → Core

    
    

    
  
Jonathan: do we already have a bug to upgrade WOFF2? What is our usual schedule for that? Do we get alerts about security fixes from them or do we just have to watch on our own?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jfkthame)

    
    

    
  
We don't currently get alerts, AFAIK; it's up to us to watch. And so I've just added myself as a watcher on the woff2 repository, to try and keep a better eye on it.

I'll post a patch to update our copy shortly.
Flags: needinfo?(jfkthame)
Group: core-security → gfx-core-security

    
    

    
  

      
      
      
      

        Attached file
          
        call_stack.txt
      

    


  

    
    

    
  
This is a heap overflow bug, even though ASAN sometimes reports as a UAF.

    
  
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED

    
  

        Attachment #8725387 -
        Flags: review?(fred.wang)

        Attachment #8725387 -
        Flags: review?(fred.wang) → review+

    
    

    
  
Comment on attachment 8725387 [details] [diff] [review]
Update woff2 library to upstream commit 643c7b45891cbeb5dc1f7599a4c9b53fbe82a08f

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The patch adds a range check, which makes it clear that previously this value was unchecked; hence it's easy to deduce that a rogue font with an out-of-range value here would be a possible attack vector.

It's not immediately clear to me how readily this could be leveraged to something more than an out-of-bounds access that may well result in a crash, but further analysis of the code might indicate that it can be used in more devious ways.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No

Which older supported branches are affected by this flaw?
None -- the WOFF2 library containing this code landed for mozilla-47 in bug 1227058. The older OTS code was significantly different; it may well have its own flaws, of course, but this particular flaw is specific to the new WOFF2 lib.

If not all supported branches, which bug introduced the flaw?
Bug 1227058 (where we took an OTS update, including switching to the separate WOFF2 module in place of older WOFF2 code within OTS).

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
n/a

How likely is this patch to cause regressions; how much testing does it need?
Minimal risk; this just adds a missing range check.

        Attachment #8725387 -
        Flags: sec-approval?
Flags: sec-bounty?

        Attachment #8725387 -
        Flags: sec-approval? → sec-approval+

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/33087bab1346dbbfaff79478b7c90e5a978e6ff2
Bug 1252407 - Update woff2 library to upstream commit 643c7b45891cbeb5dc1f7599a4c9b53fbe82a08f. r=fredw

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/33087bab1346
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox47:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Group: gfx-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+

    
    

    
  
Thanks a lot for giving me a reward. Before receiving the bounty I have to disclose you that I reported this bug to google chrome first. I also disclosed google chrome engineers that this bug reproduce in Firefox for the purpose of disclosing this bug to Mozilla.

    
    

    
  
Reproduced on 47.0a1 (2016-03-01) mozilla-central-linux64-asan build.
Verified fixed 47b10 mozilla-central-linux64-asan build.
Status: RESOLVED → VERIFIED

          status-firefox47:
          fixedverified
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: