Closed Bug 1358551 (CVE-2017-7777) Opened 8 years ago Closed 8 years ago

Graphite2: use of uninitialized memory [@ graphite2::GlyphCache::Loader::read_glyph]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr45 --- wontfix
firefox-esr52 54+ fixed
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-high, testcase, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(3 files)

test_case.ttf
323.50 KB, application/x-font-ttf
Details
log.txt
38.43 KB, text/plain
Details
fix.patch
1.31 KB, patch
Details | Diff | Splinter Review
Attached file test_case.ttf
Found while fuzzing graphite commit 0646e4e The attached test cases triggers multiple instances of uninitialized memory usage. See attached log for full report. To reproduce: valgrind -q --track-origins=yes ./gr2fonttest test_case.ttf Conditional jump or move depends on uninitialised value(s) at 0x4130AB: sparse<(anonymous namespace)::_glat_iterator<unsigned short> > (Sparse.h:107) by 0x4130AB: GlyphFace<(anonymous namespace)::_glat_iterator<unsigned short> > (GlyphFace.h:74) by 0x4130AB: graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const (GlyphCache.cpp:423) by 0x411FD7: graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) (GlyphCache.cpp:142) by 0x40C7D1: graphite2::Face::readGlyphs(unsigned int) (Face.cpp:98) by 0x407A67: load_face (gr_face.cpp:54) by 0x407A67: gr_make_face_with_ops (gr_face.cpp:89) by 0x4089B8: gr_make_file_face (gr_face.cpp:242) by 0x405111: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x406286: main (gr2FontTest.cpp:802) Uninitialised value was created by a heap allocation at 0x4C2DBB6: malloc (vg_replace_malloc.c:299) by 0x40DBB8: gralloc<unsigned char> (Main.h:88) by 0x40DBB8: graphite2::Face::Table::decompress() (Face.cpp:333) by 0x40D85A: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:292) by 0x414575: graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) (GlyphCache.cpp:270) by 0x411A9F: graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) (GlyphCache.cpp:118) by 0x40C7D1: graphite2::Face::readGlyphs(unsigned int) (Face.cpp:98) by 0x407A67: load_face (gr_face.cpp:54) by 0x407A67: gr_make_face_with_ops (gr_face.cpp:89) by 0x4089B8: gr_make_file_face (gr_face.cpp:242) by 0x405111: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x406286: main (gr2FontTest.cpp:802)
Attached file log.txt
Attached patch fix.patchSplinter Review
Fixes decompressor to not copy uninitialised data. Also added some protections in read_glyph.
Verified fixed in graphite-security commit bb24c61
Keywords: sec-high
Should be fixed by the patch landed in bug 1349310.
Depends on: CVE-2017-7778
(In reply to Tyson Smith [:tsmith] from comment #3) > Verified fixed in graphite-security commit bb24c61 (In reply to Jonathan Kew (:jfkthame) from comment #4) > Should be fixed by the patch landed in bug 1349310.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee: nobody → jfkthame
status-firefox53: --- → wontfix
status-firefox54: --- → fixed
status-firefox55: --- → fixed
status-firefox-esr45: --- → wontfix
status-firefox-esr52: --- → fixed
Target Milestone: --- → mozilla55
Group: gfx-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
tracking-firefox-esr52: --- → 54+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7777
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: