Closed Bug 1254883 Opened 8 years ago Closed 8 years ago

graphite2: SEGV near NULL in [@graphite2::CachedFace::runGraphite]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

test_case.ttf
1.64 KB, application/x-font-ttf
Details
Attached file test_case.ttf 
This was found while fuzzing graphite2 latest revision (f67e446f6637d5845a4df55e83a4f8a0eb7ad42b)

This uses the segcache code that is not used by Firefox (correct me if I am wrong here Martin or Jonathan).

This is likely not a sec issue however I am hiding this bug because of the large number of bugs that have been found and I would like to avoid any unwanted attention until things calm down.

To reproduce run:
./gr2fonttest test_case.ttf -auto -cache

==14915==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fd4a4f63cdd bp 0x7fff4173def0 sp 0x7fff4173ddc0 T0)
    #0 0x7fd4a4f63cdc in graphite2::CachedFace::runGraphite(graphite2::Segment*, graphite2::Silf const*) const /home/user/code/graphite/src/CachedFace.cpp:88:50
    #1 0x7fd4a4f610a4 in graphite2::Segment::runGraphite() /home/user/code/graphite/src/inc/Segment.h:97:45
    #2 0x7fd4a4f610a4 in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) /home/user/code/graphite/src/gr_segment.cpp:46
    #3 0x7fd4a4f610a4 in gr_make_seg /home/user/code/graphite/src/gr_segment.cpp:105
    #4 0x4e7d45 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:690:20
    #5 0x4e8eff in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:795:9
    #6 0x7fd4a4ba3ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #7 0x41a5c5 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a5c5)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/code/graphite/src/CachedFace.cpp:88:50 in graphite2::CachedFace::runGraphite(graphite2::Segment*, graphite2::Silf const*) const
I'm going to lower the priority on the segment cache stuff. I know there are plenty of bugs in there.
Depends on: 1255158
No longer depends on: 1255158
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: