Closed Bug 1324379 Opened 9 years ago Closed 9 years ago

AddressSanitizer: heap-use-after-free gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1494:25 in cairo_cff_font_write_cid_fontdict

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox-esr45 52+ fixed
firefox51 --- wontfix
firefox52 + fixed
firefox-esr52 --- fixed
firefox53 + fixed
firefox54 + fixed

People

(Reporter: kanru, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-bounds, csectype-uaf, sec-critical, Whiteboard: [post-critsmash-triage][gfx-noted][adv-main52+][adv-esr45.8+])

Attachments

(1 file)

fix cairo_cff_font_write_cid_fontdict array output
2.60 KB, patch
jrmuizel
: review+
jcristau
: approval-mozilla-aurora+
jcristau
: approval-mozilla-beta+
gchang
: approval-mozilla-release-
gchang
: approval-mozilla-esr45+
abillings
: sec-approval+
Details | Diff | Splinter Review
ASan detected a UAF when I was trying to print page https://en.wikipedia.org/wiki/Japanese_units_of_measurement#Mass as PDF STR: 1. Load the url 2. Print... 3. Select print to file 4. Print The cairo used is in m-c. The fonts used are * Cantarell Regular * DejaVu Sans Bold Oblique * DejaVu Sans * DejaVu Sans Bold * DejaVu Sans Oblique * Fantasque Sans Mono Regular * FreeSerif * Source Han Sans CN Normal * Source Han Sans TW Normal * TeXGyreTermes-Regular * WenQuanYi Micro Hei according to devtools ================================================================= ==15490==ERROR: AddressSanitizer: heap-use-after-free on address 0x62900252a1e7 at pc 0x7f43775034b6 bp 0x7fffff2c3170 sp 0x7fffff2c3168 WRITE of size 4 at 0x62900252a1e7 thread T0 (Web Content) #0 0x7f43775034b5 in cairo_cff_font_write_cid_fontdict /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1494:25 #1 0x7f43774fbf7e in cairo_cff_font_write_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1631:18 #2 0x7f43774f8316 in cairo_cff_font_generate /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1654:14 #3 0x7f43774f8316 in _cairo_cff_subset_init /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1943 #4 0x7f4377525444 in _cairo_pdf_surface_emit_cff_font_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4031:14 #5 0x7f4377525444 in _cairo_pdf_surface_emit_unscaled_font_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4650 #6 0x7f437761f37e in _cairo_sub_font_collect /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:590:30 #7 0x7f437761f37e in _cairo_scaled_font_subsets_foreach_internal /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:904 #8 0x7f4377518f8b in _cairo_pdf_surface_emit_font_subsets /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4704:14 #9 0x7f4377518f8b in _cairo_pdf_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:1626 #10 0x7f4377649820 in INT__moz_cairo_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11 #11 0x7f43775daa10 in _cairo_paginated_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:173:2 #12 0x7f4377649820 in INT__moz_cairo_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11 #13 0x7f4370398e71 in mozilla::gfx::PrintTargetPDF::Finish() /home/kanru/mozilla/gecko/gfx/thebes/PrintTargetPDF.cpp:80:3 #14 0x7f436fe7bd66 in nsDeviceContext::EndDocument() /home/kanru/mozilla/gecko/gfx/src/nsDeviceContext.cpp:503:9 #15 0x7f4375901430 in nsPrintData::~nsPrintData() /home/kanru/mozilla/gecko/layout/printing/nsPrintData.cpp:77:14 #16 0x7f4375903799 in nsPrintEngine::DestroyPrintingData() /home/kanru/mozilla/gecko/layout/printing/nsPrintEngine.cpp:274:5 #17 0x7f4374faaf64 in nsDocumentViewer::OnDonePrinting() /home/kanru/mozilla/gecko/layout/base/nsDocumentViewer.cpp:4431:7 #18 0x7f4375927292 in nsPrintCompletionEvent::Run() /home/kanru/mozilla/gecko/layout/printing/nsPrintEngine.cpp:3546:7 #19 0x7f436d59365b in nsThread::ProcessNextEvent(bool, bool*) /home/kanru/mozilla/gecko/xpcom/threads/nsThread.cpp:1213:7 #20 0x7f436d62782c in NS_ProcessNextEvent(nsIThread*, bool) /home/kanru/mozilla/gecko/xpcom/glue/nsThreadUtils.cpp:381:54 #21 0x7f436e69ec3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kanru/mozilla/gecko/ipc/glue/MessagePump.cpp:96:21 #22 0x7f436e579cc8 in MessageLoop::RunInternal() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:232:3 #23 0x7f436e579cc8 in MessageLoop::RunHandler() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:225 #24 0x7f436e579cc8 in MessageLoop::Run() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:205 #25 0x7f43746e7fdf in nsBaseAppShell::Run() /home/kanru/mozilla/gecko/widget/nsBaseAppShell.cpp:156:3 #26 0x7f4376c46fc7 in XRE_RunAppShell /home/kanru/mozilla/gecko/toolkit/xre/nsEmbedFunctions.cpp:924:12 #27 0x7f436e579cc8 in MessageLoop::RunInternal() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:232:3 #28 0x7f436e579cc8 in MessageLoop::RunHandler() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:225 #29 0x7f436e579cc8 in MessageLoop::Run() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:205 #30 0x7f4376c462fa in XRE_InitChildProcess /home/kanru/mozilla/gecko/toolkit/xre/nsEmbedFunctions.cpp:756:7 #31 0x4f9c83 in content_process_main(int, char**) /home/kanru/mozilla/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:115:19 #32 0x4f9c83 in main /home/kanru/mozilla/gecko/browser/app/nsBrowserApp.cpp:429 #33 0x7f438709db44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287 #34 0x41f885 in _start (/home/kanru/mozilla/gecko/obj-x86_64-pc-linux-gnu/dist/bin/firefox+0x41f885) 0x62900252a1e7 is located 16359 bytes inside of 16384-byte region [0x629002526200,0x62900252a200) freed by thread T0 (Web Content) here: #0 0x4c59e8 in realloc (/home/kanru/mozilla/gecko/obj-x86_64-pc-linux-gnu/dist/bin/firefox+0x4c59e8) #1 0x7f4377577edb in _cairo_array_grow_by /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:159:137 #2 0x7f437757840d in _cairo_array_allocate /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:335:14 #3 0x7f437757840d in _cairo_array_append_multiple /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:301 #4 0x7f437757840d in _cairo_array_append /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:276 #5 0x7f43775043b6 in cairo_dict_write_operator /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:628:30 #6 0x7f43775043b6 in _cairo_dict_collect /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:647 #7 0x7f43775b92a8 in _cairo_hash_table_foreach /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-hash.c:531:6 #8 0x7f4377503fbc in cff_dict_write /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:666:5 #9 0x7f43775031c6 in cairo_cff_font_write_cid_fontdict /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1490:18 #10 0x7f43774fbf7e in cairo_cff_font_write_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1631:18 #11 0x7f43774f8316 in cairo_cff_font_generate /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1654:14 #12 0x7f43774f8316 in _cairo_cff_subset_init /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1943 #13 0x7f4377525444 in _cairo_pdf_surface_emit_cff_font_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4031:14 #14 0x7f4377525444 in _cairo_pdf_surface_emit_unscaled_font_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4650 #15 0x7f437761f37e in _cairo_sub_font_collect /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:590:30 #16 0x7f437761f37e in _cairo_scaled_font_subsets_foreach_internal /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:904 #17 0x7f4377518f8b in _cairo_pdf_surface_emit_font_subsets /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4704:14 #18 0x7f4377518f8b in _cairo_pdf_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:1626 #19 0x7f4377649820 in INT__moz_cairo_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11 #20 0x7f43775daa10 in _cairo_paginated_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:173:2 #21 0x7f4377649820 in INT__moz_cairo_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11 #22 0x7f4370398e71 in mozilla::gfx::PrintTargetPDF::Finish() /home/kanru/mozilla/gecko/gfx/thebes/PrintTargetPDF.cpp:80:3 #23 0x7f436fe7bd66 in nsDeviceContext::EndDocument() /home/kanru/mozilla/gecko/gfx/src/nsDeviceContext.cpp:503:9 #24 0x7f4375901430 in nsPrintData::~nsPrintData() /home/kanru/mozilla/gecko/layout/printing/nsPrintData.cpp:77:14 #25 0x7f4375903799 in nsPrintEngine::DestroyPrintingData() /home/kanru/mozilla/gecko/layout/printing/nsPrintEngine.cpp:274:5 #26 0x7f4374faaf64 in nsDocumentViewer::OnDonePrinting() /home/kanru/mozilla/gecko/layout/base/nsDocumentViewer.cpp:4431:7 #27 0x7f4375927292 in nsPrintCompletionEvent::Run() /home/kanru/mozilla/gecko/layout/printing/nsPrintEngine.cpp:3546:7 #28 0x7f436d59365b in nsThread::ProcessNextEvent(bool, bool*) /home/kanru/mozilla/gecko/xpcom/threads/nsThread.cpp:1213:7 #29 0x7f436d62782c in NS_ProcessNextEvent(nsIThread*, bool) /home/kanru/mozilla/gecko/xpcom/glue/nsThreadUtils.cpp:381:54 #30 0x7f436e69ec3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kanru/mozilla/gecko/ipc/glue/MessagePump.cpp:96:21 #31 0x7f436e579cc8 in MessageLoop::RunInternal() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:232:3 #32 0x7f436e579cc8 in MessageLoop::RunHandler() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:225 #33 0x7f436e579cc8 in MessageLoop::Run() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:205 #34 0x7f43746e7fdf in nsBaseAppShell::Run() /home/kanru/mozilla/gecko/widget/nsBaseAppShell.cpp:156:3 #35 0x7f4376c46fc7 in XRE_RunAppShell /home/kanru/mozilla/gecko/toolkit/xre/nsEmbedFunctions.cpp:924:12 #36 0x7f436e579cc8 in MessageLoop::RunInternal() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:232:3 #37 0x7f436e579cc8 in MessageLoop::RunHandler() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:225 #38 0x7f436e579cc8 in MessageLoop::Run() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:205 #39 0x7f4376c462fa in XRE_InitChildProcess /home/kanru/mozilla/gecko/toolkit/xre/nsEmbedFunctions.cpp:756:7 #40 0x4f9c83 in content_process_main(int, char**) /home/kanru/mozilla/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:115:19 #41 0x4f9c83 in main /home/kanru/mozilla/gecko/browser/app/nsBrowserApp.cpp:429 previously allocated by thread T0 (Web Content) here: #0 0x4c59e8 in realloc (/home/kanru/mozilla/gecko/obj-x86_64-pc-linux-gnu/dist/bin/firefox+0x4c59e8) #1 0x7f4377577edb in _cairo_array_grow_by /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:159:137 #2 0x7f43775785fe in _cairo_array_allocate /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:335:14 #3 0x7f43775785fe in _cairo_array_append_multiple /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-array.c:301 #4 0x7f4377503c50 in cff_index_write /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:373:18 #5 0x7f43774fbf6e in cairo_cff_font_write_charstrings /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1461:12 #6 0x7f43774fbf6e in cairo_cff_font_write_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1631 #7 0x7f43774f8316 in cairo_cff_font_generate /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1654:14 #8 0x7f43774f8316 in _cairo_cff_subset_init /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1943 #9 0x7f4377525444 in _cairo_pdf_surface_emit_cff_font_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4031:14 #10 0x7f4377525444 in _cairo_pdf_surface_emit_unscaled_font_subset /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4650 #11 0x7f437761f37e in _cairo_sub_font_collect /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:590:30 #12 0x7f437761f37e in _cairo_scaled_font_subsets_foreach_internal /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:904 #13 0x7f4377518f8b in _cairo_pdf_surface_emit_font_subsets /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4704:14 #14 0x7f4377518f8b in _cairo_pdf_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:1626 #15 0x7f4377649820 in INT__moz_cairo_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11 #16 0x7f43775daa10 in _cairo_paginated_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:173:2 #17 0x7f4377649820 in INT__moz_cairo_surface_finish /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11 #18 0x7f4370398e71 in mozilla::gfx::PrintTargetPDF::Finish() /home/kanru/mozilla/gecko/gfx/thebes/PrintTargetPDF.cpp:80:3 #19 0x7f436fe7bd66 in nsDeviceContext::EndDocument() /home/kanru/mozilla/gecko/gfx/src/nsDeviceContext.cpp:503:9 #20 0x7f4375901430 in nsPrintData::~nsPrintData() /home/kanru/mozilla/gecko/layout/printing/nsPrintData.cpp:77:14 #21 0x7f4375903799 in nsPrintEngine::DestroyPrintingData() /home/kanru/mozilla/gecko/layout/printing/nsPrintEngine.cpp:274:5 #22 0x7f4374faaf64 in nsDocumentViewer::OnDonePrinting() /home/kanru/mozilla/gecko/layout/base/nsDocumentViewer.cpp:4431:7 #23 0x7f4375927292 in nsPrintCompletionEvent::Run() /home/kanru/mozilla/gecko/layout/printing/nsPrintEngine.cpp:3546:7 #24 0x7f436d59365b in nsThread::ProcessNextEvent(bool, bool*) /home/kanru/mozilla/gecko/xpcom/threads/nsThread.cpp:1213:7 #25 0x7f436d62782c in NS_ProcessNextEvent(nsIThread*, bool) /home/kanru/mozilla/gecko/xpcom/glue/nsThreadUtils.cpp:381:54 #26 0x7f436e69ec3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kanru/mozilla/gecko/ipc/glue/MessagePump.cpp:96:21 #27 0x7f436e579cc8 in MessageLoop::RunInternal() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:232:3 #28 0x7f436e579cc8 in MessageLoop::RunHandler() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:225 #29 0x7f436e579cc8 in MessageLoop::Run() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:205 #30 0x7f43746e7fdf in nsBaseAppShell::Run() /home/kanru/mozilla/gecko/widget/nsBaseAppShell.cpp:156:3 #31 0x7f4376c46fc7 in XRE_RunAppShell /home/kanru/mozilla/gecko/toolkit/xre/nsEmbedFunctions.cpp:924:12 #32 0x7f436e579cc8 in MessageLoop::RunInternal() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:232:3 #33 0x7f436e579cc8 in MessageLoop::RunHandler() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:225 #34 0x7f436e579cc8 in MessageLoop::Run() /home/kanru/mozilla/gecko/ipc/chromium/src/base/message_loop.cc:205 #35 0x7f4376c462fa in XRE_InitChildProcess /home/kanru/mozilla/gecko/toolkit/xre/nsEmbedFunctions.cpp:756:7 #36 0x4f9c83 in content_process_main(int, char**) /home/kanru/mozilla/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:115:19 #37 0x4f9c83 in main /home/kanru/mozilla/gecko/browser/app/nsBrowserApp.cpp:429 #38 0x7f438709db44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-use-after-free /home/kanru/mozilla/gecko/gfx/cairo/cairo/src/cairo-cff-subset.c:1494:25 in cairo_cff_font_write_cid_fontdict Shadow bytes around the buggy address: 0x0c528049d3e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528049d3f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528049d400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528049d410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528049d420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c528049d430: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c528049d440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528049d450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528049d460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528049d470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528049d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15490==ABORTING
Group: mozilla-employee-confidential
I can't mark the bug as security bug after I filed it so marked as mozilla-employee-confidential
Group: gfx-core-security
This is just a straight backport of the upstream Cairo fix: https://cgit.freedesktop.org/cairo/commit/src/cairo-cff-subset.c?id=f2f65684f0c6e1a26741bf96bb9bec286457a571
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Attachment #8820001 - Flags: review?(jmuizelaar)
Holy crap-- that patch is from 2011! How old is our Cairo and how many other Cairo security bugs do we not have fixes for?
Group: mozilla-employee-confidential
Flags: needinfo?(milan)
Keywords: csectype-bounds, sec-critical
Whiteboard: [gfx-noted]
Very old. We are now in the world where Cairo is relegated to printing only, so the chance of hitting problems is lessened, but it is possible there are other problems lurking. We're working on getting rid of Cairo completely.
Flags: needinfo?(milan)
Attachment #8820001 - Flags: review?(jmuizelaar) → review+
Comment on attachment 8820001 [details] [diff] [review] fix cairo_cff_font_write_cid_fontdict array output [Security approval request comment] > How easily could an exploit be constructed based on the patch? > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? This fix has already been upstream for quite a while now, though the patch comments do not directly point to the upstream issue. That said, given this is a strange combination of use-after-free and and overrun obscured by the Cairo font machinery, if someone hasn't exploited this one actively already, it's probably very unlikely. > Which older supported branches are affected by this flaw? > If not all supported branches, which bug introduced the flaw? All supported branches are affected. > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This bug affects code old enough that the patch should also apply to all affected branches... > How likely is this patch to cause regressions; how much testing does it need? Unlikely, since this just backports the upstream fix.
Attachment #8820001 - Flags: sec-approval?
sec-approval+ for trunk. We'll want this on affected branches, including ESR45, once it lands.
status-firefox51: --- → wontfix
status-firefox52: --- → affected
status-firefox53: --- → affected
status-firefox-esr45: --- → affected
tracking-firefox52: --- → +
tracking-firefox53: --- → +
tracking-firefox-esr45: --- → 51+
Attachment #8820001 - Flags: sec-approval? → sec-approval+
This should have made 51 but didn't. When can this land?
Flags: needinfo?(lsalzman)
(In reply to Al Billings [:abillings] from comment #7) > This should have made 51 but didn't. When can this land? I thought the sec team was responsible for landing anything above sec-moderate?
Flags: needinfo?(lsalzman) → needinfo?(abillings)
(In reply to Lee Salzman [:lsalzman] from comment #8) > I thought the sec team was responsible for landing anything above > sec-moderate? No, we don't land your bugs. We just approve them. You can talk to the sheriffs about landing. I have no checkin privileges and have never checked in a patch for platform or Firefox. :-)
Flags: needinfo?(abillings)
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/f54d14f58ce7 Please request Aurora/Beta/ESR45 approval on this when you get a chance.
status-firefox54: --- → affected
tracking-firefox54: --- → ?
Keywords: checkin-needed
Comment on attachment 8820001 [details] [diff] [review] fix cairo_cff_font_write_cid_fontdict array output Approval Request Comment [Feature/Bug causing the regression]: This bug affects all existing release channels (since 2011). [User impact if declined]: Use-after-free bug that is exposed by printing-to-file specifically crafted pages. [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: Fix has been in upstream Cairo since 2011. [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: 45, 51, 52, 53 [Is the change risky?]: no [Why is the change risky/not risky?]: Already tested in upstream Cairo since 2011. [String changes made/needed]: None
Attachment #8820001 - Flags: approval-mozilla-release?
Attachment #8820001 - Flags: approval-mozilla-esr45?
Attachment #8820001 - Flags: approval-mozilla-beta?
Attachment #8820001 - Flags: approval-mozilla-aurora?
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment on attachment 8820001 [details] [diff] [review] fix cairo_cff_font_write_cid_fontdict array output sec-critical bug fix in cairo, beta52+, aurora53+
Attachment #8820001 - Flags: approval-mozilla-beta?
Attachment #8820001 - Flags: approval-mozilla-beta+
Attachment #8820001 - Flags: approval-mozilla-aurora?
Attachment #8820001 - Flags: approval-mozilla-aurora+
Group: gfx-core-security → core-security-release
Comment on attachment 8820001 [details] [diff] [review] fix cairo_cff_font_write_cid_fontdict array output Fix a sec-critical. ESR45+.
Attachment #8820001 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Comment on attachment 8820001 [details] [diff] [review] fix cairo_cff_font_write_cid_fontdict array output We don't have then plan to have dot release for 51. Rel51-.
Attachment #8820001 - Flags: approval-mozilla-release? → approval-mozilla-release-
Flags: qe-verify+
Whiteboard: [gfx-noted] → [post-critsmash-triage][gfx-noted]
tracking-firefox-esr52: ? → ---
Whiteboard: [post-critsmash-triage][gfx-noted] → [post-critsmash-triage][gfx-noted][adv-main52+][adv-esr45.8+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: