Bug 1352747 (CVE-2017-7773)

Graphite2 heap-buffer-overflow write [@ lz4::decompress] src/Decompressor.cpp:90

RESOLVED FIXED in Firefox -esr52

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tsmith, Assigned: jfkthame)

Tracking

(Blocks 1 bug, 4 keywords)

unspecified
mozilla55
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox52 wontfix, firefox-esr5254+ fixed, firefox53 wontfix, firefox54 fixed, firefox55 fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(1 attachment)

1.62 KB, application/x-font-ttf
Details
Reporter

Description

2 years ago
Posted file test_case.ttf
Found in 28cc60d with a 32 bit build.

To reproduce run:
./gr2fonttest -auto -demand test_case.ttf

==5957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5203f84 at pc 0x081acfc2 bp 0xff9a3948 sp 0xff9a393c
WRITE of size 4 at 0xf5203f84 thread T0
    #0 0x81acfc1 in void (anonymous namespace)::unaligned_copy<4>(void*, void const*) src/inc/Compression.h:55:3
    #1 0x81acfc1 in (anonymous namespace)::overrun_copy(unsigned char*, unsigned char const*, unsigned int) src/inc/Compression.h:75
    #2 0x81acfc1 in lz4::decompress(void const*, unsigned int, void*, unsigned int) src/Decompressor.cpp:90
    #3 0x814e6ac in graphite2::Face::Table::decompress() src/Face.cpp:339:20
    #4 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9
    #5 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21
    #6 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16
    #7 0x8141aba in gr_make_file_face src/gr_face.cpp:242
    #8 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20
    #9 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9
    #10 0xf75bc636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x805fe47 in _start (/home/user/workspace/graphite2/gr2fonttest+0x805fe47)

0xf5203f84 is located 0 bytes to the right of 1796-byte region [0xf5203880,0xf5203f84)
allocated by thread T0 here:
    #0 0x8104184 in __interceptor_malloc (/home/user/workspace/graphite2/gr2fonttest+0x8104184)
    #1 0x814e5f2 in unsigned char* graphite2::gralloc<unsigned char>(unsigned int) src/inc/Main.h:88:28
    #2 0x814e5f2 in graphite2::Face::Table::decompress() src/Face.cpp:333
    #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9
    #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21
    #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16
    #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242
    #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20
    #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9
    #9 0xf75bc636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291
Reporter

Comment 1

2 years ago
I've also seen this rero on x64 build with other test cases.
Reporter

Comment 2

2 years ago
I believe this was introduced after the 1.3.9 graphite release and does not affect Firefox (yet). But I'll let :jfkthame make the final call.
Flags: needinfo?(martin_hosken)

Comment 3

2 years ago
Fixed upstream in 8afc7d0 as a new aspect of the 32-bit rollover problems.
Flags: needinfo?(martin_hosken)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter

Updated

2 years ago
Keywords: regression
Reporter

Updated

2 years ago
Assignee

Updated

2 years ago
No longer blocks: CVE-2017-7778
Depends on: CVE-2017-7778
Milan suggested a retest in comment 4. Can you do this, Tyson?
Flags: needinfo?(twsmith)
Reporter

Comment 6

2 years ago
Verified fixed in graphite commit 090076bf4
Flags: needinfo?(twsmith)
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Assignee: nobody → jfkthame
Target Milestone: --- → mozilla55
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7773
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.