Closed
Bug 1257907
Opened 8 years ago
Closed 8 years ago
graphite2: heap-buffer-overflow read in [@graphite2::KernCollider::mergeSlot]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(2 files)
This was found while fuzzing graphite2 revision d2f5be53a856e4252a7a26d7f2a40e03b7ea665e (>1.3.7) To reproduce run: ./gr2fonttest test_case.ttf -auto -demand
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
Marking as sec-audit since I believe this was introduced after 1.3.7 (latest included version in Firefox)
Keywords: sec-audit
Comment 3•8 years ago
|
||
Fixed? in 0c26852419dcacd76d21f066fba339908df636f0. This was a transitionary bug, introduced within the last couple of commits and now fixed. So could never be exploited.
Reporter | ||
Comment 4•8 years ago
|
||
Verified with graphite revision 0c26852419dcacd76d21f066fba339908df636f0
Reporter | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Comment 5•8 years ago
|
||
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
status-firefox45:
--- → wontfix
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox48:
--- → fixed
status-firefox-esr38:
--- → fixed
status-firefox-esr45:
--- → fixed
tracking-firefox-esr38:
--- → 46+
tracking-firefox-esr45:
--- → 46+
Updated•8 years ago
|
Updated•8 years ago
|
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•