Closed
Bug 1260469
Opened 9 years ago
Closed 9 years ago
graphite2: division by zero in [@graphite2::Segment::justify]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-audit, testcase)
Attachments
(1 file)
5.16 KB,
application/x-font-ttf
|
Details |
This was found while fuzzing graphite2 revision 56671221b974024dd96cc9c6f592678ee6d24841 (>1.3.7)
I do not believe this affects Firefox but if I am wrong please let me know.
To reproduce run:
./gr2fonttest test_case.ttf -auto -j 10
/home/user/code/graphite/src/Justifier.cpp:146:27: runtime error: division by zero
#0 0x7f174c315c7e in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) /home/user/code/graphite/src/Justifier.cpp:146:27
#1 0x7f174c29394b in gr_seg_justify /home/user/code/graphite/src/gr_segment.cpp:167:12
#2 0x4ea861 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:702:32
#3 0x4ec389 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:797:9
#4 0x7f174be7bec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
#5 0x41ace5 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41ace5)
Comment 1•9 years ago
|
||
Sorry. I'm having trouble reproducing this error. Passes for me for 64 bit release and asan debug build.
Reporter | ||
Comment 2•9 years ago
|
||
This was caught by UBSan (sorry I didn't really make that clear), although it should likely trigger an FPE without UBSan. On the other hand UBSan is really good at catching things that get optimized out or removed by compilers in some situations.
Comment 3•9 years ago
|
||
Fixed? d7eed89e1d681c68b0bfe7cb8b73c89964b8f086 (unable to test). This isn't a firefox problem.
Reporter | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Comment 4•9 years ago
|
||
Graphite2 has been updated to 1.3.8 on all the relevant branches including ESRs
status-firefox45:
--- → wontfix
status-firefox46:
--- → fixed
status-firefox47:
--- → fixed
status-firefox48:
--- → fixed
status-firefox-esr38:
--- → fixed
status-firefox-esr45:
--- → fixed
tracking-firefox-esr38:
--- → 46+
tracking-firefox-esr45:
--- → 46+
Updated•9 years ago
|
Updated•9 years ago
|
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•