Closed Bug 1256493 Opened 4 years ago Closed 3 years ago

hunspell: heap-buffer-overflow write in [@u16_u8]

Categories

(Core :: Spelling checker, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed
firefox48 --- fixed
firefox49 --- fixed
firefox-esr38 --- wontfix
firefox-esr45 47+ fixed

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords, Whiteboard: [adv-main47+][adv-esr45.2+][post-critsmash-triage])

Attachments

(2 files)

Attached file call_stack.txt
Found in hunspell revision ded5b4c62c37084d216154e02e4d5e6efbd3ccfa

To reproduce:
run ./src/tools/example tests/base_utf.aff tests/base_utf.dic test_case.txt
Attached file test_case.txt
Group: core-security → dom-core-security
Does the crash happen also in browser?
In our sec triage meeting today, Tyson said he wasn't sure how expose this was to content. We were hoping somebody might know. Of course, if it requires a malformed dictionary or something it probably isn't a critical security issue for Firefox.
master github hunspell now passes this example under asan
Depends on: 1257902
Should be fixed on trunk by bug 1257902.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Group: dom-core-security → core-security-release
Whiteboard: [adv-main47+][adv-esr45.2+]
Whiteboard: [adv-main47+][adv-esr45.2+] → [adv-main47+][adv-esr45.2+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.