Bug 1358551 (CVE-2017-7777)

Graphite2: use of uninitialized memory [@ graphite2::GlyphCache::Loader::read_glyph]

RESOLVED FIXED in Firefox -esr52

Status

()

defect
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tsmith, Assigned: jfkthame)

Tracking

(Blocks 1 bug, {csectype-uninitialized, sec-high, testcase})

unspecified
mozilla55
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox-esr5254+ fixed, firefox53 wontfix, firefox54 fixed, firefox55 fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(3 attachments)

Reporter

Description

2 years ago
Posted file test_case.ttf
Found while fuzzing graphite commit 0646e4e

The attached test cases triggers multiple instances of uninitialized memory usage. See attached log for full report.

To reproduce:
valgrind -q --track-origins=yes ./gr2fonttest test_case.ttf

Conditional jump or move depends on uninitialised value(s)
   at 0x4130AB: sparse<(anonymous namespace)::_glat_iterator<unsigned short> > (Sparse.h:107)
   by 0x4130AB: GlyphFace<(anonymous namespace)::_glat_iterator<unsigned short> > (GlyphFace.h:74)
   by 0x4130AB: graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const (GlyphCache.cpp:423)
   by 0x411FD7: graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) (GlyphCache.cpp:142)
   by 0x40C7D1: graphite2::Face::readGlyphs(unsigned int) (Face.cpp:98)
   by 0x407A67: load_face (gr_face.cpp:54)
   by 0x407A67: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x4089B8: gr_make_file_face (gr_face.cpp:242)
   by 0x405111: Parameters::testFileFont() const (gr2FontTest.cpp:639)
   by 0x406286: main (gr2FontTest.cpp:802)
 Uninitialised value was created by a heap allocation
   at 0x4C2DBB6: malloc (vg_replace_malloc.c:299)
   by 0x40DBB8: gralloc<unsigned char> (Main.h:88)
   by 0x40DBB8: graphite2::Face::Table::decompress() (Face.cpp:333)
   by 0x40D85A: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:292)
   by 0x414575: graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) (GlyphCache.cpp:270)
   by 0x411A9F: graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) (GlyphCache.cpp:118)
   by 0x40C7D1: graphite2::Face::readGlyphs(unsigned int) (Face.cpp:98)
   by 0x407A67: load_face (gr_face.cpp:54)
   by 0x407A67: gr_make_face_with_ops (gr_face.cpp:89)
   by 0x4089B8: gr_make_file_face (gr_face.cpp:242)
   by 0x405111: Parameters::testFileFont() const (gr2FontTest.cpp:639)
   by 0x406286: main (gr2FontTest.cpp:802)
Reporter

Comment 1

2 years ago
Posted file log.txt

Comment 2

2 years ago
Posted patch fix.patchSplinter Review
Fixes decompressor to not copy uninitialised data. Also added some protections in read_glyph.
Reporter

Comment 3

2 years ago
Verified fixed in graphite-security commit bb24c61
Keywords: sec-high
Assignee

Comment 4

2 years ago
Should be fixed by the patch landed in bug 1349310.
Depends on: CVE-2017-7778
(In reply to Tyson Smith [:tsmith] from comment #3)
> Verified fixed in graphite-security commit bb24c61

(In reply to Jonathan Kew (:jfkthame) from comment #4)
> Should be fixed by the patch landed in bug 1349310.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Assignee: nobody → jfkthame
Target Milestone: --- → mozilla55
Group: gfx-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7777
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.