Closed
Bug 1352747
(CVE-2017-7773)
Opened 8 years ago
Closed 7 years ago
Graphite2 heap-buffer-overflow write [@ lz4::decompress] src/Decompressor.cpp:90
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: tsmith, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])
Attachments
(1 file)
1.62 KB,
application/x-font-ttf
|
Details |
Found in 28cc60d with a 32 bit build. To reproduce run: ./gr2fonttest -auto -demand test_case.ttf ==5957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5203f84 at pc 0x081acfc2 bp 0xff9a3948 sp 0xff9a393c WRITE of size 4 at 0xf5203f84 thread T0 #0 0x81acfc1 in void (anonymous namespace)::unaligned_copy<4>(void*, void const*) src/inc/Compression.h:55:3 #1 0x81acfc1 in (anonymous namespace)::overrun_copy(unsigned char*, unsigned char const*, unsigned int) src/inc/Compression.h:75 #2 0x81acfc1 in lz4::decompress(void const*, unsigned int, void*, unsigned int) src/Decompressor.cpp:90 #3 0x814e6ac in graphite2::Face::Table::decompress() src/Face.cpp:339:20 #4 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9 #5 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21 #6 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16 #7 0x8141aba in gr_make_file_face src/gr_face.cpp:242 #8 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20 #9 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9 #10 0xf75bc636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291 #11 0x805fe47 in _start (/home/user/workspace/graphite2/gr2fonttest+0x805fe47) 0xf5203f84 is located 0 bytes to the right of 1796-byte region [0xf5203880,0xf5203f84) allocated by thread T0 here: #0 0x8104184 in __interceptor_malloc (/home/user/workspace/graphite2/gr2fonttest+0x8104184) #1 0x814e5f2 in unsigned char* graphite2::gralloc<unsigned char>(unsigned int) src/inc/Main.h:88:28 #2 0x814e5f2 in graphite2::Face::Table::decompress() src/Face.cpp:333 #3 0x814dd32 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) src/Face.cpp:292:9 #4 0x8140540 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) src/gr_face.cpp:49:21 #5 0x8141aba in gr_make_face_with_ops src/gr_face.cpp:89:16 #6 0x8141aba in gr_make_file_face src/gr_face.cpp:242 #7 0x813b99e in Parameters::testFileFont() const gr2fonttest/gr2FontTest.cpp:639:20 #8 0x813d9d3 in main gr2fonttest/gr2FontTest.cpp:798:9 #9 0xf75bc636 in __libc_start_main /build/glibc-5sb1ri/glibc-2.23/csu/../csu/libc-start.c:291
Reporter | ||
Comment 1•8 years ago
|
||
I've also seen this rero on x64 build with other test cases.
Reporter | ||
Comment 2•8 years ago
|
||
I believe this was introduced after the 1.3.9 graphite release and does not affect Firefox (yet). But I'll let :jfkthame make the final call.
Updated•8 years ago
|
Flags: needinfo?(martin_hosken)
Comment 3•8 years ago
|
||
Fixed upstream in 8afc7d0 as a new aspect of the 32-bit rollover problems.
Flags: needinfo?(martin_hosken)
Updated•8 years ago
|
status-firefox52:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Keywords: sec-high
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Keywords: regression
We should retest once bug 1349310 lands.
Reporter | ||
Updated•8 years ago
|
Blocks: fuzzing-fonts
Assignee | ||
Updated•7 years ago
|
No longer blocks: CVE-2017-7778
Depends on: CVE-2017-7778
Comment 5•7 years ago
|
||
Milan suggested a retest in comment 4. Can you do this, Tyson?
Flags: needinfo?(twsmith)
Reporter | ||
Comment 6•7 years ago
|
||
Verified fixed in graphite commit 090076bf4
Flags: needinfo?(twsmith)
Updated•7 years ago
|
Status: REOPENED → RESOLVED
Closed: 8 years ago → 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Group: gfx-core-security → core-security-release
Updated•7 years ago
|
Assignee: nobody → jfkthame
status-firefox53:
--- → wontfix
status-firefox54:
--- → fixed
status-firefox55:
--- → fixed
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•7 years ago
|
tracking-firefox-esr52:
--- → 54+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Updated•7 years ago
|
Alias: CVE-2017-7773
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•