Closed Bug 1352745 (CVE-2017-7772) Opened 8 years ago Closed 8 years ago

Graphite2 heap-buffer-overflow write [@ lz4::decompress]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr45 --- wontfix
firefox-esr52 54+ fixed
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(1 file)

Attached file test_case.ttf
Found in 28cc60d with a 32 bit build. To reproduce run: ./gr2fonttest -auto -demand test_case.ttf ==4360==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5202b0f at pc 0x081ad092 bp 0xffadad08 sp 0xffadacfc WRITE of size 16 at 0xf5202b0f thread T0 #0 0x81ad091 in (anonymous namespace)::safe_copy(unsigned char*, unsigned char const*, unsigned int) src/inc/Compression.h:65:22 #1 0x81ad091 in lz4::decompress(void const*, unsigned int, void*, unsigned int) src/Decompressor.cpp:103 #2 0x814e6ac in graphite2::Face::Table::decompress() src/Face.cpp:339:20 #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9 #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21 #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16 #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242 #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20 #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9 #9 0xf753c636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x805fe47 in _start (graphite2/gr2fonttest+0x805fe47) 0xf5202b0f is located 11 bytes to the right of 10756-byte region [0xf5200100,0xf5202b04) allocated by thread T0 here: #0 0x8104184 in __interceptor_malloc (/home/user/workspace/graphite2/gr2fonttest+0x8104184) #1 0x814e5f2 in unsigned char* graphite2::gralloc<unsigned char>(unsigned int) src/inc/Main.h:88:28 #2 0x814e5f2 in graphite2::Face::Table::decompress() src/Face.cpp:333 #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9 #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21 #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16 #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242 #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20 #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9 #9 0xf753c636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291
I believe this was introduced after the 1.3.9 graphite and does not affect Firefox (yet)
Flags: needinfo?(martin_hosken)
Fixed upstream 8afc7d0. All part of getting the 32-bit rollover bug fixed in the decompressor, so just another aspect of this kind of bug.
Flags: needinfo?(martin_hosken)
Status: NEW → RESOLVED
Closed: 8 years ago
Keywords: sec-high
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Keywords: regression
Resolution: FIXED → ---
No longer blocks: CVE-2017-7778
Depends on: CVE-2017-7778
Milan suggested a retest in comment 3. Can you do this, Tyson?
Flags: needinfo?(twsmith)
Verified fixed in graphite commit 090076bf4
Flags: needinfo?(twsmith)
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Assignee: nobody → jfkthame
Target Milestone: --- → mozilla55
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7772
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: