Closed Bug 1260469 Opened 8 years ago Closed 8 years ago

graphite2: division by zero in [@graphite2::Segment::justify]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- disabled
firefox46 --- fixed
firefox47 --- fixed
firefox48 --- fixed
firefox-esr38 46+ disabled
firefox-esr45 46+ disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-audit, testcase)

Attachments

(1 file)

5.16 KB, application/x-font-ttf
Details
Attached file test_case.ttf
This was found while fuzzing graphite2 revision 56671221b974024dd96cc9c6f592678ee6d24841 (>1.3.7)

I do not believe this affects Firefox but if I am wrong please let me know.

To reproduce run:
./gr2fonttest test_case.ttf -auto -j 10

/home/user/code/graphite/src/Justifier.cpp:146:27: runtime error: division by zero
    #0 0x7f174c315c7e in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) /home/user/code/graphite/src/Justifier.cpp:146:27
    #1 0x7f174c29394b in gr_seg_justify /home/user/code/graphite/src/gr_segment.cpp:167:12
    #2 0x4ea861 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:702:32
    #3 0x4ec389 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:797:9
    #4 0x7f174be7bec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #5 0x41ace5 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41ace5)
Sorry. I'm having trouble reproducing this error. Passes for me for 64 bit release and asan debug build.
This was caught by UBSan (sorry I didn't really make that clear), although it should likely trigger an FPE without UBSan. On the other hand UBSan is really good at catching things that get optimized out or removed by compilers in some situations.
Fixed? d7eed89e1d681c68b0bfe7cb8b73c89964b8f086 (unable to test). This isn't a firefox problem.
Depends on: 1262846
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.