hunspell: heap-buffer-overflow write in [@u16_u8]

RESOLVED FIXED in Firefox 47

Status

()

Core
Spelling checker
--
critical
RESOLVED FIXED
a year ago
11 months ago

People

(Reporter: tsmith, Unassigned)

Tracking

(4 keywords)

unspecified
mozilla49
crash, csectype-bounds, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox46 wontfix, firefox47 fixed, firefox48 fixed, firefox49 fixed, firefox-esr38 wontfix, firefox-esr4547+ fixed)

Details

(Whiteboard: [adv-main47+][adv-esr45.2+][post-critsmash-triage])

Attachments

(2 attachments)

Created attachment 8730455 [details]
call_stack.txt

Found in hunspell revision ded5b4c62c37084d216154e02e4d5e6efbd3ccfa

To reproduce:
run ./src/tools/example tests/base_utf.aff tests/base_utf.dic test_case.txt
Created attachment 8730456 [details]
test_case.txt
Group: core-security → dom-core-security
Does the crash happen also in browser?
In our sec triage meeting today, Tyson said he wasn't sure how expose this was to content. We were hoping somebody might know. Of course, if it requires a malformed dictionary or something it probably isn't a critical security issue for Firefox.
Keywords: sec-high

Comment 4

a year ago
master github hunspell now passes this example under asan
Depends on: 1257902
Should be fixed on trunk by bug 1257902.
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Group: dom-core-security → core-security-release
status-firefox46: --- → wontfix
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → wontfix
status-firefox-esr45: --- → fixed
tracking-firefox-esr45: --- → 47+
Depends on: 1269941
Whiteboard: [adv-main47+][adv-esr45.2+]
Whiteboard: [adv-main47+][adv-esr45.2+] → [adv-main47+][adv-esr45.2+][post-critsmash-triage]

Updated

11 months ago
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.