Closed Bug 1260328 Opened 8 years ago Closed 8 years ago

graphite2: SEGV near null in [@graphite2::Slot::setJustify]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- disabled
firefox46 --- fixed
firefox47 --- fixed
firefox48 --- fixed
firefox-esr38 46+ disabled
firefox-esr45 46+ disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

57.49 KB, application/x-font-ttf
Details
Attached file test_case.ttf
This was found while fuzzing graphite2 revision c1c491ecf937aa744f4803e3d3a24e4f0001025d (>1.3.7)

I do not believe this affects Firefox but if I am wrong please let me know.

To reproduce run:
./gr2fonttest test_case.ttf -auto -j 10

==10128==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc 0x7f9c6bca4e15 bp 0x7fff9acf24d0 sp 0x7fff9acf2480 T0)
    #0 0x7f9c6bca4e14 in graphite2::Slot::setJustify(graphite2::Segment*, unsigned char, unsigned char, short) /home/user/code/graphite/src/Slot.cpp:403:10
    #1 0x7f9c6bc6aa5e in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) /home/user/code/graphite/src/Justifier.cpp:118:17
    #2 0x7f9c6bc17903 in gr_seg_justify /home/user/code/graphite/src/gr_segment.cpp:167:12
    #3 0x4e7e61 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:702:32
    #4 0x4e8f7f in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:797:9
    #5 0x7f9c6b859ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #6 0x41a5a5 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a5a5)
Fixed? in 41c93e9c659c2a75b21fb5bfc9d32d85704018e5
Verified with graphite revision 56671221b974024dd96cc9c6f592678ee6d24841
Depends on: 1262846
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.