hunspell: heap-buffer-overflow write in [@u16_u8]

RESOLVED FIXED in Firefox 47

Status

()

Core
Spelling checker
--
critical
RESOLVED FIXED
a year ago
7 months ago

People

(Reporter: tsmith, Unassigned)

Tracking

(4 keywords)

unspecified
mozilla49
crash, csectype-bounds, sec-high, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox46 wontfix, firefox47 fixed, firefox48 fixed, firefox49 fixed, firefox-esr38 wontfix, firefox-esr4547+ fixed)

Details

(Whiteboard: [adv-main47+][adv-esr45.2+][post-critsmash-triage])

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Created attachment 8730897 [details]
call_stack.txt

Found in hunspell revision ded5b4c62c37084d216154e02e4d5e6efbd3ccfa

To reproduce:
run ./src/tools/example tests/base_utf.aff tests/base_utf.dic test_case.txt


==3129==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f90fe400380 at pc 0x00000057f5c2 bp 0x7ffd8da31a20 sp 0x7ffd8da31a18
WRITE of size 1 at 0x7f90fe400380 thread T0
...
(Reporter)

Comment 1

a year ago
Created attachment 8730898 [details]
test_case.txt
Keywords: sec-high

Comment 2

a year ago
git master now passes this test under asan
Depends on: 1257902
Tyson, can we figure out how to update this so we get this fix? Thanks.
Flags: needinfo?(twsmith)
Oh, never mind, I see the dependent bug now.
Flags: needinfo?(twsmith)
Should be fixed on trunk by bug 1257902.
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Group: dom-core-security → core-security-release
[Tracking Requested - why for this release]:
status-firefox46: --- → wontfix
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → wontfix
status-firefox-esr45: --- → fixed
tracking-firefox-esr45: --- → 47+
Depends on: 1269941

Updated

11 months ago
Whiteboard: [adv-main47+][adv-esr45.2+]
Whiteboard: [adv-main47+][adv-esr45.2+] → [adv-main47+][adv-esr45.2+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.