Closed
Bug 1294575
Opened 8 years ago
Closed 8 years ago
freetype2: heap-buffer-overflow read [@Ins_FLIPPT]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-bounds, testcase)
Attachments
(2 files)
This was found while fuzzing freetype revision: dce554b1bd7fb78b5ee7a80f1726b8641d7cd677 (>2.6.5)
==10566==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001c7f8 at pc 0x7f87d75ab6d4 bp 0x7ffcd94c62b0 sp 0x7ffcd94c62a8
READ of size 8 at 0x63300001c7f8 thread T0
#0 0x7f87d75ab6d3 in Ins_FLIPPT /home/user/code/freetype2/src/truetype/ttinterp.c:5197:26
#1 0x7f87d75ab6d3 in TT_RunIns /home/user/code/freetype2/src/truetype/ttinterp.c:8143
#2 0x7f87d75d2dea in tt_size_run_fpgm /home/user/code/freetype2/src/truetype/ttobjs.c:829:15
#3 0x7f87d75d2dea in tt_size_init_bytecode /home/user/code/freetype2/src/truetype/ttobjs.c:1066
#4 0x7f87d75d2dea in tt_size_ready_bytecode /home/user/code/freetype2/src/truetype/ttobjs.c:1085
#5 0x7f87d75d2dea in tt_loader_init /home/user/code/freetype2/src/truetype/ttgload.c:2288
#6 0x7f87d757eb76 in TT_Load_Glyph /home/user/code/freetype2/src/truetype/ttgload.c:2645:13
#7 0x7f87d757eb76 in tt_glyph_load /home/user/code/freetype2/src/truetype/ttdriver.c:424
#8 0x7f87d74d03de in FT_Load_Glyph /home/user/code/freetype2/src/base/ftobjs.c:742:15
#9 0x4ea5ca in TestFace /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12
#10 0x4ea5ca in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143
#11 0x4ea5ca in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
#12 0x7f87d659882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#13 0x418a98 in _start (/home/user/workspace/freetype2/ftrandom+0x418a98)
Reporter | ||
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
Thanks for the report. Should be already fixed with the next commit after the one you have been testing. Please test.
Reporter | ||
Comment 3•8 years ago
|
||
Thanks. Looks good now. I test with freetype revision 125f2b63a503ecb1f78f86b4ebfb0303c0a46788.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•