Closed Bug 1355148 Opened 8 years ago Closed 8 years ago

Graphite2: out of bounds read [@ graphite2::Silf::readClassMap]

Categories

(Core :: Graphics: Text, defect, P3)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1355174

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

test_case.ttf
5.09 KB, application/x-font-ttf
Details
Attached file test_case.ttf
Found with a 32bit build running gr2FontTest. Invalid read of size 1 at 0x80642CA: _peek<1> (Endian.h:77) by 0x80642CA: _peek<2> (Endian.h:50) by 0x80642CA: read<unsigned short> (Endian.h:60) by 0x80642CA: graphite2::Silf::readClassMap(unsigned char const*, unsigned int, unsigned int, graphite2::Error&) (Silf.cpp:287) by 0x806382A: graphite2::Silf::readGraphite(unsigned char const*, unsigned int, graphite2::Face&, unsigned int) (Silf.cpp:192) by 0x8054837: graphite2::Face::readGraphite(graphite2::Face::Table const&) (Face.cpp:149) by 0x804EAEA: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:59) by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89) by 0x804F69E: gr_make_file_face (gr_face.cpp:242) by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x804D77B: main (gr2FontTest.cpp:798) Address 0x44070d0 is 0 bytes after a block of size 560 alloc'd at 0x402D25B: malloc (vg_replace_malloc.c:299) by 0x806C177: graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned int*) (FileFace.cpp:94) by 0x8055233: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:282) by 0x804EA0F: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:49) by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89) by 0x804F69E: gr_make_file_face (gr_face.cpp:242) by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x804D77B: main (gr2FontTest.cpp:798) Invalid read of size 1 at 0x80642D0: _peek<1> (Endian.h:77) by 0x80642D0: _peek<2> (Endian.h:50) by 0x80642D0: read<unsigned short> (Endian.h:60) by 0x80642D0: graphite2::Silf::readClassMap(unsigned char const*, unsigned int, unsigned int, graphite2::Error&) (Silf.cpp:287) by 0x806382A: graphite2::Silf::readGraphite(unsigned char const*, unsigned int, graphite2::Face&, unsigned int) (Silf.cpp:192) by 0x8054837: graphite2::Face::readGraphite(graphite2::Face::Table const&) (Face.cpp:149) by 0x804EAEA: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:59) by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89) by 0x804F69E: gr_make_file_face (gr_face.cpp:242) by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x804D77B: main (gr2FontTest.cpp:798) Address 0x44070d1 is 1 bytes after a block of size 560 alloc'd at 0x402D25B: malloc (vg_replace_malloc.c:299) by 0x806C177: graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned int*) (FileFace.cpp:94) by 0x8055233: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:282) by 0x804EA0F: (anonymous namespace)::load_face(graphite2::Face&, unsigned int) (gr_face.cpp:49) by 0x804F69E: gr_make_face_with_ops (gr_face.cpp:89) by 0x804F69E: gr_make_file_face (gr_face.cpp:242) by 0x804C60D: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x804D77B: main (gr2FontTest.cpp:798) Invalid font, failed to read or parse tables
See Also: → CVE-2017-7771
Keywords: sec-high
cf bug 1355174. This is based on a bad silf table with a faulty passes_start. On my machine this is caught and the font rejected without ever calling readClassMap. Propose merging the two issues.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: