Closed Bug 1256968 Opened 8 years ago Closed 8 years ago

hunspell: heap-buffer-overflow write in [@u16_u8]

Categories

(Core :: Spelling checker, defect)

Product:
Core
Component:
Spelling checker
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed
firefox48 --- fixed
firefox49 --- fixed
firefox-esr38 --- wontfix
firefox-esr45 47+ fixed

People

(Reporter: tsmith, Unassigned)

References

Details

(4 keywords, Whiteboard: [adv-main47+][adv-esr45.2+][post-critsmash-triage])

Attachments

(2 files)

call_stack.txt
3.17 KB, text/plain
Details
test_case.txt
89 bytes, text/plain
Details
Attached file call_stack.txt 
Found in hunspell revision ded5b4c62c37084d216154e02e4d5e6efbd3ccfa

To reproduce:
run ./src/tools/example tests/base_utf.aff tests/base_utf.dic test_case.txt


==3129==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f90fe400380 at pc 0x00000057f5c2 bp 0x7ffd8da31a20 sp 0x7ffd8da31a18
WRITE of size 1 at 0x7f90fe400380 thread T0
...
Attached file test_case.txt 
Keywords: sec-high

    
    

    
  
git master now passes this test under asan
Depends on: 1257902

    
    

    
  
Tyson, can we figure out how to update this so we get this fix? Thanks.
Flags: needinfo?(twsmith)

    
    

    
  
Oh, never mind, I see the dependent bug now.
Flags: needinfo?(twsmith)

    
    

    
  
Should be fixed on trunk by bug 1257902.
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox49:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Group: dom-core-security → core-security-release

    
    

    
  
[Tracking Requested - why for this release]:

          status-firefox46:
          --- → wontfix

          status-firefox47:
          --- → fixed

          status-firefox48:
          --- → fixed

          status-firefox-esr38:
          --- → wontfix

          status-firefox-esr45:
          --- → fixed

          tracking-firefox-esr45:
          --- → 47+
Depends on: 1269941
Whiteboard: [adv-main47+][adv-esr45.2+]
Whiteboard: [adv-main47+][adv-esr45.2+] → [adv-main47+][adv-esr45.2+][post-critsmash-triage]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: