Closed Bug 1260295 Opened 8 years ago Closed 8 years ago

graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- disabled
firefox46 --- fixed
firefox47 --- fixed
firefox48 --- fixed
firefox-esr38 46+ disabled
firefox-esr45 46+ disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

49.57 KB, application/x-font-ttf
Details
Attached file test_case.ttf
This was found while fuzzing graphite2 revision c1c491ecf937aa744f4803e3d3a24e4f0001025d (>1.3.7)

I do not believe this affects Firefox but if I am wrong please let me know.

To reproduce run:
./gr2fonttest test_case.ttf -auto -j 10


==61113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000017728 at pc 0x7fb916c4398f bp 0x7ffc31e291d0 sp 0x7ffc31e291c8
READ of size 8 at 0x61c000017728 thread T0
    #0 0x7fb916c4398e in graphite2::GlyphCache::glyph(unsigned short) const /home/user/code/graphite/src/GlyphCache.cpp:215:9
    #1 0x7fb916c4d30a in graphite2::Segment::theGlyphBBoxTemporary(unsigned short) const /home/user/code/graphite/src/inc/Segment.h:147:66
    #2 0x7fb916c4d30a in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) /home/user/code/graphite/src/Justifier.cpp:89
    #3 0x7fb916bfa903 in gr_seg_justify /home/user/code/graphite/src/gr_segment.cpp:167:12
    #4 0x4e7e61 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:702:32
    #5 0x4e8f7f in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:797:9
    #6 0x7fb91683cec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #7 0x41a5a5 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a5a5)
Fixed? in 3ac24fb4ac13de4b61d3741abb1846bfb5e71e0e. In theory this bug could trigger, but not sure how.
Verified with graphite revision 56671221b974024dd96cc9c6f592678ee6d24841
Depends on: 1262846
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.