Closed Bug 1355148 Opened 7 years ago Closed 7 years ago

Graphite2: out of bounds read [@ graphite2::Silf::readClassMap]

Categories

(Core :: Graphics: Text, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1355174

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

5.09 KB, application/x-font-ttf
Details
Attached file test_case.ttf
Found with a 32bit build running gr2FontTest.

Invalid read of size 1
   at 0x80642CA: _peek<1> (Endian.h:77)
   by 0x80642CA: _peek<2> (Endian.h:50)
   by 0x80642CA: read<unsigned short> (Endian.h:60)
   by 0x80642CA: graphite2::Silf::readClassMap(unsigned char const*, unsigned int, unsigned int, graphite2::Error&) (Silf.cpp:287)
   by 0x806382A: graphite2::Silf::readGraphite(unsigned char const*, unsigned int, graphite2::Face&, unsigned int) (Silf.cpp:192)
   by 0x8054837: graphite2::Face::readGraphite(graphite2::Face::Table const&) (Face.cpp:149)
   by 0x804EAEA: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:59)
   by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x804F69E: gr_make_file_face (gr_face.cpp:242)
   by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639)
   by 0x804D77B: main (gr2FontTest.cpp:798)
 Address 0x44070d0 is 0 bytes after a block of size 560 alloc'd
   at 0x402D25B: malloc (vg_replace_malloc.c:299)
   by 0x806C177: graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned int*) (FileFace.cpp:94)
   by 0x8055233: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:282)
   by 0x804EA0F: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:49)
   by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x804F69E: gr_make_file_face (gr_face.cpp:242)
   by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639)
   by 0x804D77B: main (gr2FontTest.cpp:798)

Invalid read of size 1
   at 0x80642D0: _peek<1> (Endian.h:77)
   by 0x80642D0: _peek<2> (Endian.h:50)
   by 0x80642D0: read<unsigned short> (Endian.h:60)
   by 0x80642D0: graphite2::Silf::readClassMap(unsigned char const*, unsigned int, unsigned int, graphite2::Error&) (Silf.cpp:287)
   by 0x806382A: graphite2::Silf::readGraphite(unsigned char const*, unsigned int, graphite2::Face&, unsigned int) (Silf.cpp:192)
   by 0x8054837: graphite2::Face::readGraphite(graphite2::Face::Table const&) (Face.cpp:149)
   by 0x804EAEA: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:59)
   by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x804F69E: gr_make_file_face (gr_face.cpp:242)
   by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639)
   by 0x804D77B: main (gr2FontTest.cpp:798)
 Address 0x44070d1 is 1 bytes after a block of size 560 alloc'd
   at 0x402D25B: malloc (vg_replace_malloc.c:299)
   by 0x806C177: graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned int*) (FileFace.cpp:94)
   by 0x8055233: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:282)
   by 0x804EA0F: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:49)
   by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x804F69E: gr_make_file_face (gr_face.cpp:242)
   by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639)
   by 0x804D77B: main (gr2FontTest.cpp:798)

Invalid font, failed to read or parse tables
See Also: → CVE-2017-7771
Keywords: sec-high
cf bug 1355174. This is based on a bad silf table with a faulty passes_start. On my machine this is caught and the font rejected without ever calling readClassMap. Propose merging the two issues.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.