Created attachment 8735909 [details] test_case.ttf This was found while fuzzing graphite2 revision 56671221b974024dd96cc9c6f592678ee6d24841 (>1.3.7) I do not believe this affects Firefox but if I am wrong please let me know. To reproduce run: ./gr2fonttest test_case.ttf -auto -j 10 /home/user/code/graphite/src/Justifier.cpp:146:27: runtime error: division by zero #0 0x7f174c315c7e in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) /home/user/code/graphite/src/Justifier.cpp:146:27 #1 0x7f174c29394b in gr_seg_justify /home/user/code/graphite/src/gr_segment.cpp:167:12 #2 0x4ea861 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:702:32 #3 0x4ec389 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:797:9 #4 0x7f174be7bec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287 #5 0x41ace5 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41ace5)
Sorry. I'm having trouble reproducing this error. Passes for me for 64 bit release and asan debug build.
This was caught by UBSan (sorry I didn't really make that clear), although it should likely trigger an FPE without UBSan. On the other hand UBSan is really good at catching things that get optimized out or removed by compilers in some situations.
Fixed? d7eed89e1d681c68b0bfe7cb8b73c89964b8f086 (unable to test). This isn't a firefox problem.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
status-firefox45: --- → wontfix
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → fixed
status-firefox-esr45: --- → fixed
tracking-firefox-esr38: --- → 46+
tracking-firefox-esr45: --- → 46+
status-firefox-esr38: fixed → disabled
status-firefox-esr45: fixed → disabled
You need to log in before you can comment on or make changes to this bug.