Closed Bug 1259629 Opened 8 years ago Closed 8 years ago

graphite2: AddressSanitizer: heap-use-after-free graphite2::TtfUtil::LocaLookup(unsigned short, void const*, unsigned int, void const*) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/TtfUtil.cpp:1213

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: munozferna, Unassigned)

Details

(Keywords: csectype-uaf, sec-high)

Attachments

(1 file)

1.ttf
438.52 KB, application/x-font-ttf
Details
Attached file 1.ttf 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160317093430

Steps to reproduce:

1. Compile graphite2 (1.3.6) with ASAN 
2. ./gr2fonttest reports/1.ttf 
3. ASAN reports heap-use-after-free




Actual results:

fmunozs@fuzzilla:~/graphitedbg/graphite2-1.3.6/asan/gr2fonttest$ ./gr2fonttest reports/1.ttf 
=================================================================
==10571==ERROR: AddressSanitizer: heap-use-after-free on address 0xb46017f2 at pc 0xb719adea bp 0xbfe5b778 sp 0xbfe5b768
READ of size 2 at 0xb46017f2 thread T0
    #0 0xb719ade9 in graphite2::TtfUtil::LocaLookup(unsigned short, void const*, unsigned int, void const*) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/TtfUtil.cpp:1213
    #1 0xb715b9c1 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/GlyphCache.cpp:258
    #2 0xb71601b3 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/GlyphCache.cpp:118
    #3 0xb71561b9 in graphite2::Face::readGlyphs(unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/Face.cpp:98
    #4 0xb711a543 in load_face /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:54
    #5 0xb711a543 in gr_make_face_with_ops /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:89
    #6 0xb711b405 in gr_make_file_face /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:242
    #7 0x804c240 in Parameters::testFileFont() const /home/fmunozs/graphitedbg/graphite2-1.3.6/gr2fonttest/gr2FontTest.cpp:618
    #8 0x8049e8b in main /home/fmunozs/graphitedbg/graphite2-1.3.6/gr2fonttest/gr2FontTest.cpp:770
    #9 0xb6de0645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #10 0x804a04f  (/home/fmunozs/graphitedbg/graphite2-1.3.6/asan/gr2fonttest/gr2fonttest+0x804a04f)

0xb46017f2 is located 50 bytes inside of 54-byte region [0xb46017c0,0xb46017f6)
freed by thread T0 here:
    #0 0xb72469f4 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x969f4)
    #1 0xb719ba23 in graphite2::FileFace::rel_table_fn(void const*, void const*) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/FileFace.cpp:109
    #2 0xb71558d9 in graphite2::Face::Table::releaseBuffers() /home/fmunozs/graphitedbg/graphite2-1.3.6/src/Face.cpp:298
    #3 0xb71558d9 in graphite2::Face::Table::~Table() /home/fmunozs/graphitedbg/graphite2-1.3.6/src/inc/Face.h:208
    #4 0xb71558d9 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/Face.cpp:285
    #5 0xb715b4fc in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/GlyphCache.cpp:248
    #6 0xb71601b3 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/GlyphCache.cpp:118
    #7 0xb71561b9 in graphite2::Face::readGlyphs(unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/Face.cpp:98
    #8 0xb711a543 in load_face /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:54
    #9 0xb711a543 in gr_make_face_with_ops /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:89
    #10 0xb711b405 in gr_make_file_face /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:242
    #11 0x804c240 in Parameters::testFileFont() const /home/fmunozs/graphitedbg/graphite2-1.3.6/gr2fonttest/gr2FontTest.cpp:618
    #12 0x8049e8b in main /home/fmunozs/graphitedbg/graphite2-1.3.6/gr2fonttest/gr2FontTest.cpp:770
    #13 0xb6de0645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)

previously allocated by thread T0 here:
    #0 0xb7246d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0xb719bc2e in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned int*) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/FileFace.cpp:94
    #2 0xb715562f in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/Face.cpp:280
    #3 0xb715b4fc in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/GlyphCache.cpp:248
    #4 0xb71601b3 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/GlyphCache.cpp:118
    #5 0xb71561b9 in graphite2::Face::readGlyphs(unsigned int) /home/fmunozs/graphitedbg/graphite2-1.3.6/src/Face.cpp:98
    #6 0xb711a543 in load_face /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:54
    #7 0xb711a543 in gr_make_face_with_ops /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:89
    #8 0xb711b405 in gr_make_file_face /home/fmunozs/graphitedbg/graphite2-1.3.6/src/gr_face.cpp:242
    #9 0x804c240 in Parameters::testFileFont() const /home/fmunozs/graphitedbg/graphite2-1.3.6/gr2fonttest/gr2FontTest.cpp:618
    #10 0x8049e8b in main /home/fmunozs/graphitedbg/graphite2-1.3.6/gr2fonttest/gr2FontTest.cpp:770
    #11 0xb6de0645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)

SUMMARY: AddressSanitizer: heap-use-after-free /home/fmunozs/graphitedbg/graphite2-1.3.6/src/TtfUtil.cpp:1213 graphite2::TtfUtil::LocaLookup(unsigned short, void const*, unsigned int, void const*)
Shadow bytes around the buggy address:
  0x368c02a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c02b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c02c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c02d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c02e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x368c02f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fa
  0x368c0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c0310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c0320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c0330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c0340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10571==ABORTING



Expected results:

Not crash
We just landed version graphite 1.3.7 on nightly which fixes over a dozen similar bugs. This is likely a dupe of one of those. Please re-try with the latest code. For release versions of Firefox we released an update 45.0.1/38.7.1 that disables graphite to protect against these flaws until we could get the fixes landed and integrated.
Group: core-security → gfx-core-security
Flags: needinfo?(munozferna)
Tyson: the signature isn't quite the same as bug 1252138 or bug 1252411 (both mention TtfUtil) that we got fixed in 1.3.7. Please test this and see if it's something new.
Flags: needinfo?(twsmith)
Hi Fernando, thanks for the report. I am unable to reproduce this on a 64-bit ASan build with the latest graphite2 revision (c1c491ecf937aa744f4803e3d3a24e4f0001025d)

./gr2fonttest 1259629.ttf
Invalid font, failed to read or parse tables

Could you provide any more details to help us reproduce this issue? Also please verify that you are testing the latest revision of graphite2. Did you use any additional flags when running gr2fonttest?
Flags: needinfo?(twsmith)
This seems to have been fixed on graphite2 1.3.7 indeed, just tested it. Sorry for the noise!
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(munozferna)
Resolution: --- → INVALID
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: