Closed Bug 1349511 Opened 7 years ago Closed 7 years ago

Graphite2 vm::Machine::Code::decoder::fetch_opcode out of bounds read

Categories

(Core :: Graphics: Text, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr52 --- fixed

People

(Reporter: hofusec, Assigned: jfkthame)

References

Details

(Keywords: csectype-bounds, sec-moderate, testcase, Whiteboard: [gfx-noted])

Attachments

(2 files)

Attached file poc.ttf
On 32 bit systems out of bounds reads can occur during the parsing of a silf table.

valgrind log of first read: (created with gr2fonttest tool):

Invalid read of size 1
	at 0x804A400: fetch_opcode (Code.cpp:269)
	by 0x804A400: graphite2::vm::Machine::Code::decoder::load(unsigned char const*, unsigned char const*) (Code.cpp:251)
	by 0x804BA62: graphite2::vm::Machine::Code::Code(...) (Code.cpp:191)
	by 0x806210C: graphite2::Pass::readRules(...) (Pass.cpp:287)
	by 0x8062F65: graphite2::Pass::readPass(...) (Pass.cpp:226)
	by 0x806A13F: graphite2::Silf::readGraphite(unsigned char const*, unsigned int, graphite2::Face&, unsigned int) (Silf.cpp:216)
	by 0x8057534: graphite2::Face::readGraphite(graphite2::Face::Table const&) (Face.cpp:149)
	by 0x805AE71: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:59)
	by 0x805BA0E: gr_make_face_with_ops (gr_face.cpp:89)
	by 0x805BA0E: gr_make_file_face (gr_face.cpp:242)
	by 0x806EC45: Parameters::testFileFont() const (gr2FontTest.cpp:640)
	by 0x8048E15: main (gr2FontTest.cpp:797)
Address 0x240197c is not stack'd, malloc'd or (recently) free'd
 
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x240197C
Attached file firefox.gdb.log
Group: core-security → gfx-core-security
Martin, can you please take a look at this?
Flags: needinfo?(martin_hosken)
Fixed? in 75b83cd
Flags: needinfo?(martin_hosken)
Holger, can you confirm that the upstream fix works for you too?
Flags: needinfo?(hofusec)
Priority: -- → P3
Whiteboard: [gfx-noted]
Yes no error anymore
Flags: needinfo?(hofusec)
Thanks. We shipped Graphite 1.3.10 including that fix in the Firefox 54 and ESR52.2 releases, so I think we're good here :)
Assignee: nobody → jfkthame
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Depends on: CVE-2017-7778
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Flags: sec-bounty?
Group: gfx-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: