Closed Bug 1352745 (CVE-2017-7772) Opened 8 years ago Closed 8 years ago

Graphite2 heap-buffer-overflow write [@ lz4::decompress]

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla55

Tracking Flags:

Tracking

Status

firefox-esr45

---

wontfix

firefox-esr52

54+

fixed

firefox53

---

wontfix

firefox54

---

fixed

firefox55

---

fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(1 file)

test_case.ttf 8 years ago Tyson Smith [:tsmith] 1.69 KB, application/x-font-ttf		Details

Tyson Smith [:tsmith]

Reporter

Description

•

8 years ago

Attached file test_case.ttf — Details

Found in 28cc60d with a 32 bit build. To reproduce run: ./gr2fonttest -auto -demand test_case.ttf ==4360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5202b0f at pc 0x081ad092 bp 0xffadad08 sp 0xffadacfc WRITE of size 16 at 0xf5202b0f thread T0 #0 0x81ad091 in (anonymous namespace)::safe_copy(unsigned char*, unsigned char const*, unsigned int) src/inc/Compression.h:65:22 #1 0x81ad091 in lz4::decompress(void const*, unsigned int, void*, unsigned int) src/Decompressor.cpp:103 #2 0x814e6ac in graphite2::Face::Table::decompress() src/Face.cpp:339:20 #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9 #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21 #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16 #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242 #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20 #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9 #9 0xf753c636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x805fe47 in _start (graphite2/gr2fonttest+0x805fe47) 0xf5202b0f is located 11 bytes to the right of 10756-byte region [0xf5200100,0xf5202b04) allocated by thread T0 here: #0 0x8104184 in __interceptor_malloc (/home/user/workspace/graphite2/gr2fonttest+0x8104184) #1 0x814e5f2 in unsigned char* graphite2::gralloc<unsigned char>(unsigned int) src/inc/Main.h:88:28 #2 0x814e5f2 in graphite2::Face::Table::decompress() src/Face.cpp:333 #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9 #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21 #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16 #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242 #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20 #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9 #9 0xf753c636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291

Tyson Smith [:tsmith]

Reporter

Comment 1

•

8 years ago

I believe this was introduced after the 1.3.9 graphite and does not affect Firefox (yet)

Ryan VanderMeulen [:RyanVM]

Updated

•

8 years ago

Flags: needinfo?(martin_hosken)

martin_hosken

Comment 2

•

8 years ago

Fixed upstream 8afc7d0. All part of getting the 32-bit rollover bug fixed in the decompressor, so just another aspect of this kind of bug.

Flags: needinfo?(martin_hosken)

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox55: --- → unaffected

status-firefox-esr45: --- → unaffected

status-firefox-esr52: --- → unaffected

Keywords: sec-high

Resolution: --- → FIXED

Tyson Smith [:tsmith]

Reporter

Updated

•

8 years ago

Blocks: CVE-2017-7778

Status: RESOLVED → REOPENED

Keywords: regression

Resolution: FIXED → ---

Milan Sreckovic [:milan] (needinfo for best results)

Comment 3

•

8 years ago

We should retest once bug 1349310 lands.

Tyson Smith [:tsmith]

Reporter

Updated

•

8 years ago

Blocks: fuzzing-fonts

Jonathan Kew [:jfkthame]

Assignee

Updated

•

8 years ago

No longer blocks: CVE-2017-7778

Depends on: CVE-2017-7778

Frederik Braun [:freddy]

Comment 4

•

8 years ago

Milan suggested a retest in comment 3. Can you do this, Tyson?

Flags: needinfo?(twsmith)

Tyson Smith [:tsmith]

Reporter

Comment 5

•

8 years ago

Verified fixed in graphite commit 090076bf4

Flags: needinfo?(twsmith)

Frederik Braun [:freddy]

Updated

•

8 years ago

Status: REOPENED → RESOLVED

Closed: 8 years ago → 8 years ago

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Group: gfx-core-security → core-security-release

Ryan VanderMeulen [:RyanVM]

Updated

•

8 years ago

Assignee: nobody → jfkthame

status-firefox53: --- → wontfix

status-firefox54: --- → fixed

status-firefox55: unaffected → fixed

status-firefox-esr45: unaffected → wontfix

status-firefox-esr52: unaffected → fixed

Target Milestone: --- → mozilla55

Matt Wobensmith [:mwobensmith][:matt:]

Updated

•

8 years ago

Flags: qe-verify-

Whiteboard: [post-critsmash-triage]

Al Billings [:abillings - ex-MoCo]

Updated

•

8 years ago

tracking-firefox-esr52: --- → 54+

Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]

Al Billings [:abillings - ex-MoCo]

Updated

•

8 years ago

Alias: CVE-2017-7772

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.