Closed
Bug 1252943
Opened 8 years ago
Closed 8 years ago
graphite2: UBSan null pointer passed as argument 1, which is declared to never be null [@graphite2::Pass::readStates]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-nullptr, sec-audit, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
55.95 KB,
application/x-font-ttf
|
Details |
This was found while fuzzing graphite2 latest revision (bc5409c573aa9ecccacd18cf713021272998cd35) This issue was uncovered using Undefined Behavior Sanitizer (UBSan). More information can be found here: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html. This is not a sec issue however I am hiding this bug because of the large number of bugs that have been found and I would like to avoid any unwanted attention until things calm down. To reproduce: Build with UBSan enabled. run: ./gr2fonttest test_case.ttf -auto /home/user/code/graphite/src/Pass.cpp:359:15: runtime error: null pointer passed as argument 1, which is declared to never be null /usr/include/stdlib.h:766:30: note: nonnull attribute specified here #0 0x7f76d0a596aa in graphite2::Pass::readStates(unsigned char const*, unsigned char const*, unsigned char const*, graphite2::Face&, graphite2::Error&) /home/user/code/graphite/src/Pass.cpp:359:9 #1 0x7f76d0a4a2db in graphite2::Pass::readPass(unsigned char const*, unsigned long, unsigned long, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /home/user/code/graphite/src/Pass.cpp:208:25 #2 0x7f76d0abfb33 in graphite2::Silf::readGraphite(unsigned char const*, unsigned long, graphite2::Face&, unsigned int) /home/user/code/graphite/src/Silf.cpp:216:14 #3 0x7f76d09c1831 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /home/user/code/graphite/src/Face.cpp:149:14 #4 0x7f76d08d7bdb in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /home/user/code/graphite/src/gr_face.cpp:59:42 #5 0x7f76d08d7339 in gr_make_face_with_ops /home/user/code/graphite/src/gr_face.cpp:89:16 #6 0x7f76d08dafc3 in gr_make_file_face /home/user/code/graphite/src/gr_face.cpp:242:23 #7 0x4f5f9d in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:633:20 #8 0x4fd33b in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:787:9 #9 0x7f76d0430ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287 #10 0x41b985 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41b985)
Comment 1•8 years ago
|
||
fixed? in or before 3d80c6b69fd647fdb134987e2e87ea830e93e3a4. Probably the same as some other bug.
Comment 2•8 years ago
|
||
Oops fixed the UBSan aspect. Fixed? in e7deaf90c9c8ca30116340419313af527fe90d78
Updated•8 years ago
|
Whiteboard: [gfx-noted]
Reporter | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Comment 3•8 years ago
|
||
Graphite2 has been updated on all affected branches including ESRs.
status-firefox45:
--- → wontfix
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox48:
--- → fixed
status-firefox-esr38:
--- → fixed
status-firefox-esr45:
--- → fixed
tracking-firefox-esr38:
--- → 46+
tracking-firefox-esr45:
--- → 46+
Updated•8 years ago
|
Updated•8 years ago
|
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•