Closed Bug 1259493 Opened 8 years ago Closed 8 years ago

graphite2: UBSan left shift cannot be represented in type 'int' in [@graphite2::Pass::readStates]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 --- disabled
firefox46 --- fixed
firefox47 --- fixed
firefox48 --- fixed
firefox-esr38 46+ disabled
firefox-esr45 46+ disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-audit, testcase, Whiteboard: gfx-noted)

Attachments

(1 file)

test_case.ttf
666.94 KB, application/x-font-ttf
Details
Attached file test_case.ttf 
This was found while fuzzing graphite2 revision c1c491ecf937aa744f4803e3d3a24e4f0001025d (>1.3.7)

This issue was uncovered using Undefined Behavior Sanitizer (UBSan). More information can be found here: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html.

NOTE: This is test case works with a 32-bit build.

To reproduce:
Build 32-bit with UBSan enabled.
run: ./gr2fonttest test_case.ttf -auto -demand

/home/user/code/graphite/src/Pass.cpp:342:118: runtime error: left shift of 314 by 24 places cannot be represented in type 'int'
    #0 0xf751ba47 in graphite2::Pass::readStates(unsigned char const*, unsigned char const*, unsigned char const*, graphite2::Face&, graphite2::Error&) /home/user/code/graphite/src/Pass.cpp:330:102
    #1 0xf7513a29 in graphite2::Pass::readPass(unsigned char const*, unsigned int, unsigned int, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /home/user/code/graphite/src/Pass.cpp:208:25
    #2 0xf7553574 in graphite2::Silf::readGraphite(unsigned char const*, unsigned int, graphite2::Face&, unsigned int) /home/user/code/graphite/src/Silf.cpp:216:14
    #3 0xf74d8ca2 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /home/user/code/graphite/src/Face.cpp:149:14
    #4 0xf7472d3f in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /home/user/code/graphite/src/gr_face.cpp:59:42
    #5 0xf7475caa in gr_make_face_with_ops /home/user/code/graphite/src/gr_face.cpp:89:16
    #6 0xf7475caa in gr_make_file_face /home/user/code/graphite/src/gr_face.cpp:242
    #7 0x8150e33 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:639:20
    #8 0x8153cd4 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:797:9
    #9 0xf72a0a82 in __libc_start_main /build/eglibc-617sU_/eglibc-2.19/csu/libc-start.c:287
    #10 0x805f13f in _start (/home/user/Desktop/graphite/gr2fonttest+0x805f13f)
Fixed? in 60b9451316a8a8cc12396961cc8b1f2e6cc83013. This is very unlikely to occur and only results in a faulty error code that nobody uses.
Thanks Martin, fixing UBSan bugs can help us uncover other potential issues.
Verified with graphite revision 56671221b974024dd96cc9c6f592678ee6d24841
Flags: needinfo?(jfkthame)
Whiteboard: gfx-noted
We'll update to 1.3.8 shortly, which will include this fix.
Flags: needinfo?(jfkthame)
Depends on: 1262846
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
status-firefox45: --- → wontfix
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → fixed
status-firefox-esr45: --- → fixed
tracking-firefox-esr38: --- → 46+
tracking-firefox-esr45: --- → 46+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: