hunspell: stack-buffer-overflow write in [@SfxEntry::checkword]

RESOLVED FIXED in Firefox 47

Status

()

Core
Spelling checker
--
critical
RESOLVED FIXED
a year ago
8 months ago

People

(Reporter: tsmith, Unassigned)

Tracking

(4 keywords)

unspecified
mozilla49
crash, csectype-bounds, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 fixed, firefox48 fixed, firefox49 fixed, firefox-esr38 wontfix, firefox-esr4547+ fixed)

Details

(Whiteboard: [adv-main47+][adv-esr45.2+][post-critsmash-triage])

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Created attachment 8730824 [details]
call_stack.txt

Found in hunspell revision ded5b4c62c37084d216154e02e4d5e6efbd3ccfa

To reproduce:
run ./src/tools/example tests/base_utf.aff tests/base_utf.dic test_case.txt

==3565==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f2f62c0052c at pc 0x0000005a6f8e bp 0x7ffe237dd790 sp 0x7ffe237dd788
WRITE of size 1 at 0x7f2f62c0052c thread T0
...
(Reporter)

Comment 1

a year ago
Created attachment 8730825 [details]
test_case.txt
Keywords: sec-high

Comment 2

a year ago
github master now passes this example under asan without complaint
Depends on: 1257902
Should be fixed on trunk by bug 1257902.
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Group: dom-core-security → core-security-release
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → wontfix
status-firefox-esr45: --- → fixed
tracking-firefox-esr45: --- → 47+
Depends on: 1269941
Whiteboard: [adv-main47+][adv-esr45.2+]
Whiteboard: [adv-main47+][adv-esr45.2+] → [adv-main47+][adv-esr45.2+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.