Closed Bug 1352745 (CVE-2017-7772) Opened 3 years ago Closed 3 years ago

Graphite2 heap-buffer-overflow write [@ lz4::decompress]

Categories

(Core :: Graphics: Text, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr45 --- wontfix
firefox-esr52 54+ fixed
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(1 file)

1.69 KB, application/x-font-ttf
Details
Attached file test_case.ttf
Found in 28cc60d with a 32 bit build.

To reproduce run:
./gr2fonttest -auto -demand test_case.ttf

==4360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5202b0f at pc 0x081ad092 bp 0xffadad08 sp 0xffadacfc
WRITE of size 16 at 0xf5202b0f thread T0
    #0 0x81ad091 in (anonymous namespace)::safe_copy(unsigned char*, unsigned char const*, unsigned int) src/inc/Compression.h:65:22
    #1 0x81ad091 in lz4::decompress(void const*, unsigned int, void*, unsigned int) src/Decompressor.cpp:103
    #2 0x814e6ac in graphite2::Face::Table::decompress() src/Face.cpp:339:20
    #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9
    #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21
    #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16
    #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242
    #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20
    #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9
    #9 0xf753c636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x805fe47 in _start (graphite2/gr2fonttest+0x805fe47)

0xf5202b0f is located 11 bytes to the right of 10756-byte region [0xf5200100,0xf5202b04)
allocated by thread T0 here:
    #0 0x8104184 in __interceptor_malloc (/home/user/workspace/graphite2/gr2fonttest+0x8104184)
    #1 0x814e5f2 in unsigned char* graphite2::gralloc<unsigned char>(unsigned int) src/inc/Main.h:88:28
    #2 0x814e5f2 in graphite2::Face::Table::decompress() src/Face.cpp:333
    #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9
    #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21
    #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16
    #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242
    #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20
    #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9
    #9 0xf753c636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291
I believe this was introduced after the 1.3.9 graphite and does not affect Firefox (yet)
Flags: needinfo?(martin_hosken)
Fixed upstream 8afc7d0. All part of getting the 32-bit rollover bug fixed in the decompressor, so just another aspect of this kind of bug.
Flags: needinfo?(martin_hosken)
Status: NEW → RESOLVED
Closed: 3 years ago
Keywords: sec-high
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Keywords: regression
Resolution: FIXED → ---
No longer blocks: CVE-2017-7778
Depends on: CVE-2017-7778
Milan suggested a retest in comment 3. Can you do this, Tyson?
Flags: needinfo?(twsmith)
Verified fixed in graphite commit 090076bf4
Flags: needinfo?(twsmith)
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Assignee: nobody → jfkthame
Target Milestone: --- → mozilla55
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7772
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.