graphite2: heap-buffer-overflow read in [@graphite2::KernCollider::mergeSlot]

RESOLVED FIXED

Status

()

Core
Graphics: Text
--
critical
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

unspecified
crash, csectype-bounds, sec-audit, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 disabled, firefox46 fixed, firefox47 fixed, firefox48 fixed, firefox-esr3846+ disabled, firefox-esr4546+ disabled)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8732261 [details]
call_stack.txt

This was found while fuzzing graphite2 revision d2f5be53a856e4252a7a26d7f2a40e03b7ea665e (>1.3.7)

To reproduce run:
./gr2fonttest test_case.ttf -auto -demand
(Reporter)

Comment 1

2 years ago
Created attachment 8732262 [details]
test_case.ttf
(Reporter)

Comment 2

2 years ago
Marking as sec-audit since I believe this was introduced after 1.3.7 (latest included version in Firefox)
Keywords: sec-audit

Comment 3

2 years ago
Fixed? in 0c26852419dcacd76d21f066fba339908df636f0. This was a transitionary bug, introduced within the last couple of commits and now fixed. So could never be exploited.
(Reporter)

Comment 4

2 years ago
Verified with graphite revision 0c26852419dcacd76d21f066fba339908df636f0
(Reporter)

Updated

2 years ago
Depends on: 1262846
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
status-firefox45: --- → wontfix
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → fixed
status-firefox-esr45: --- → fixed
tracking-firefox-esr38: --- → 46+
tracking-firefox-esr45: --- → 46+
status-firefox45: wontfix → disabled
status-firefox-esr38: fixed → disabled
status-firefox-esr45: fixed → disabled
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.