Closed Bug 1412942 Opened 7 years ago Closed 7 years ago

heap buffer overflow READ of size 4 when printing mozilla.org (ASAN)

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
26 Branch
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: lsalzman)

Details

(4 keywords, Whiteboard: [adv-main58+][post-critsmash-triage])

Attachments

(1 file, 1 obsolete file)

pad Mac font data when checksumming
1.45 KB, patch
jfkthame
: review+
ritu
: approval-mozilla-esr52-
Details | Diff | Splinter Review 
(Wasn't 100% sure which component this belonged in, so I took my best shot)

STR:

1) ASAN build of nightly (a89e5587c7a7)
2) Browse to mozilla.org
3) Cmd-P "Open PDF in Preview"
4) Boom

==51796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e0001a28e8 at pc 0x00010ef42e0f bp 0x7ffeed8c0fb0 sp 0x7ffeed8c0fa8
READ of size 4 at 0x62e0001a28e8 thread T0
==51796==WARNING: invalid path to external symbolizer!
==51796==WARNING: Failed to use and restart external symbolizer!
    #0 0x10ef42e0e in mozilla::gfx::UnscaledFontMac::GetFontFileData(void (*)(unsigned char const*, unsigned int, unsigned int, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2ec8e0e)
    #1 0x10ee78525 in mozilla::gfx::DrawTargetWrapAndRecord::FillGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRenderingOptions const*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2dfe525)
    #2 0x10f7f1166 in GlyphBufferAzure::Flush() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3777166)
    #3 0x10f7b14f4 in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, TextRunDrawParams const&, mozilla::gfx::ShapedTextFlags) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x37374f4)
    #4 0x10f835e36 in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x37bbe36)
    #5 0x10f838817 in gfxTextRun::Draw(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, gfxTextRun::DrawParams const&) const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x37be817)
    #6 0x116260926 in DrawTextRun(gfxTextRun const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, gfxTextRun::Range, nsTextFrame::DrawTextRunParams const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1e6926)
    #7 0x11625fd9f in nsTextFrame::DrawTextRun(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextRunParams const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1e5d9f)
    #8 0x116255b21 in nsTextFrame::DrawText(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextParams const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1dbb21)
    #9 0x116247119 in nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, nsCharClipDisplayItem const&, float) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1cd119)
    #10 0x1162450f5 in nsDisplayText::RenderToContext(gfxContext*, nsDisplayListBuilder*, bool) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1cb0f5)
    #11 0x116244285 in nsDisplayText::Paint(nsDisplayListBuilder*, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1ca285)
    #12 0x1167da448 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa760448)
    #13 0x1167de0dc in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa7640dc)
    #14 0x10f43dbb5 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33c3bb5)
    #15 0x10f437c9a in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bdc9a)
    #16 0x10f4352b8 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bb2b8)
    #17 0x10f437a57 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bda57)
    #18 0x10f4352b8 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bb2b8)
    #19 0x10f437a57 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bda57)
    #20 0x10f4352b8 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bb2b8)
    #21 0x10f430c10 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33b6c10)
    #22 0x11686df10 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa7f3f10)
    #23 0x115de28d3 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x9d688d3)
    #24 0x116203e9d in nsSimplePageSequenceFrame::PrintNextPage() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa189e9d)
    #25 0x116939196 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa8bf196)
    #26 0x116938195 in nsPagePrintTimer::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa8be195)
    #27 0x10c3cf00a in mozilla::SchedulerGroup::Runnable::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x35500a)
    #28 0x10c40d782 in nsThread::ProcessNextEvent(bool, bool*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x393782)
    #29 0x10c436ce5 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3bcce5)
    #30 0x1151b3c72 in nsBaseAppShell::NativeEventCallback() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x9139c72)
    #31 0x1152d4999 in nsAppShell::ProcessGeckoEvents(void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x925a999)
    #32 0x7fff43f0d6c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa36c0)
    #33 0x7fff43fc72cb in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d2cb)
    #34 0x7fff43ef015f in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8615f)
    #35 0x7fff43eef5dc in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x855dc)
    #36 0x7fff43eeee42 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84e42)
    #37 0x7fff4320e865 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f865)
    #38 0x7fff4320e5d5 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f5d5)
    #39 0x7fff4320e353 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f353)
    #40 0x7fff4150b9f6 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x419f6)
    #41 0x7fff41ca0d97 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d6d97)
    #42 0x1152d2782 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x9258782)
    #43 0x7fff41500804 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36804)
    #44 0x1152d5cd8 in nsAppShell::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x925bcd8)
    #45 0x11a6f033f in XRE_RunAppShell() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xe67633f)
    #46 0x10d59bf5a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x1521f5a)
    #47 0x10d4a6849 in MessageLoop::RunInternal() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x142c849)
    #48 0x10d4a648c in MessageLoop::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x142c48c)
    #49 0x11a6ef5bc in XRE_InitChildProcess(int, char**, XREChildData const*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xe6755bc)
    #50 0x1023315ae in main (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x1000015ae)
    #51 0x1023313f3 in start (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x1000013f3)

0x62e0001a28ea is located 0 bytes to the right of 42218-byte region [0x62e000198400,0x62e0001a28ea)
allocated by thread T0 here:
    #0 0x102dcd21c in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5921c)
    #1 0x7fff43e8c93d in __CFDataInit (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x2293d)
    #2 0x7fff4247ab19 in TFPFont::CopyTable(unsigned int) const (/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Resources/libFontParser.dylib:x86_64+0x3b19)
    #3 0x10ef41e8a in mozilla::gfx::UnscaledFontMac::GetFontFileData(void (*)(unsigned char const*, unsigned int, unsigned int, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2ec7e8a)
    #4 0x10ee78525 in mozilla::gfx::DrawTargetWrapAndRecord::FillGlyphs(mozilla::gfx::ScaledFont*, mozilla::gfx::GlyphBuffer const&, mozilla::gfx::Pattern const&, mozilla::gfx::DrawOptions const&, mozilla::gfx::GlyphRenderingOptions const*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2dfe525)
    #5 0x10f7f1166 in GlyphBufferAzure::Flush() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3777166)
    #6 0x10f7b14f4 in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, TextRunDrawParams const&, mozilla::gfx::ShapedTextFlags) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x37374f4)
    #7 0x10f835e36 in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x37bbe36)
    #8 0x10f838817 in gfxTextRun::Draw(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, gfxTextRun::DrawParams const&) const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x37be817)
    #9 0x116260926 in DrawTextRun(gfxTextRun const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, gfxTextRun::Range, nsTextFrame::DrawTextRunParams const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1e6926)
    #10 0x11625fd9f in nsTextFrame::DrawTextRun(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextRunParams const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1e5d9f)
    #11 0x116255b21 in nsTextFrame::DrawText(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextParams const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1dbb21)
    #12 0x116247119 in nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, nsCharClipDisplayItem const&, float) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1cd119)
    #13 0x1162450f5 in nsDisplayText::RenderToContext(gfxContext*, nsDisplayListBuilder*, bool) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1cb0f5)
    #14 0x116244285 in nsDisplayText::Paint(nsDisplayListBuilder*, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa1ca285)
    #15 0x1167da448 in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa760448)
    #16 0x1167de0dc in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa7640dc)
    #17 0x10f43dbb5 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33c3bb5)
    #18 0x10f437c9a in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bdc9a)
    #19 0x10f4352b8 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bb2b8)
    #20 0x10f437a57 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bda57)
    #21 0x10f4352b8 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bb2b8)
    #22 0x10f437a57 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bda57)
    #23 0x10f4352b8 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33bb2b8)
    #24 0x10f430c10 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x33b6c10)
    #25 0x11686df10 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa7f3f10)
    #26 0x115de28d3 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x9d688d3)
    #27 0x116203e9d in nsSimplePageSequenceFrame::PrintNextPage() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa189e9d)
    #28 0x116939196 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa8bf196)
    #29 0x116938195 in nsPagePrintTimer::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xa8be195)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.0.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2ec8e0e) in mozilla::gfx::UnscaledFontMac::GetFontFileData(void (*)(unsigned char const*, unsigned int, unsigned int, void*), void*)
Shadow bytes around the buggy address:
  0x1c5c000344c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c000344d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c000344e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c000344f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5c00034500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c5c00034510: 00 00 00 00 00 00 00 00 00 00 00 00 00[02]fa fa
  0x1c5c00034520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00034530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00034540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00034550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5c00034560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Group: core-security → gfx-core-security
Keywords: csectype-bounds, sec-high
This was regressed by bug 897007 in release 26. The checksum calculated for the table will overread up to 3 bytes of data, but only if the data is misaligned. So, it won't read outside of the current 4 byte unit of alignment, and if the table it is calculating the checksum for is already 4 byte aligned, there will be no overread.

Given that the memory allocators these days are going to at least assume 4 byte alignment of memory, I am going to say calling this sec-high is really a stretch. Since you're not going to be able to use this to read arbitrary memory in an unbounded way, but rather only some fallow bytes that are just going to be reserved by the memory allocator.

That said, this bug is pretty old, and affects all release branches, but I don't think it is critical at all and probably doesn't require sec intervention? A fix should be fairly trivial.
Assignee: nobody → lsalzman
Has Regression Range: --- → yes
status-firefox56: --- → affected
status-firefox57: --- → affected
status-firefox-esr52: --- → affected
Keywords: regression
Version: Trunk → 26 Branch
Makes sure to copy the remaining bytes into a temporary that is padded with zeroes before checksumming them.
Attachment #8923982 - Flags: review?(jfkthame)
Comment on attachment 8923982 [details] [diff] [review]
pad Mac font data when checksumming

Review of attachment 8923982 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/2d/ScaledFontMac.cpp
@@ +179,5 @@
> +    }
> +
> +    // The length is not 4-byte aligned, but we still must process the remaining bytes.
> +    if (length & 3) {
> +        if (!skipChecksumAdjust || (end - tableStart) != 2) {

I don't think you need to include the skipChecksumAdjust stuff here, as that's only relevant to the 'head' table and it must have a size of 54 bytes (iirc - something like that anyhow). If it was so small that this could matter, then it wasn't a valid font in the first place, and we won't be here.
As per Jonathan's comment, simplifies this to not worry about skipping the checksum in the remaining bytes.
Attachment #8923982 - Attachment is obsolete: true
Attachment #8923982 - Flags: review?(jfkthame)
Attachment #8923986 - Flags: review?(jfkthame)
Status: NEW → ASSIGNED
OS: Unspecified → Mac OS X
Hardware: Unspecified → All
Attachment #8923986 - Flags: review?(jfkthame) → review+
Note there's an interesting problem there, in that you're reading uninitialized bytes (which, practically speaking will either be 0 or 0xe5). Which means in some cases, the checksum could be wrong.
Marking sec-moderate per comment 1. If you think that's still too high, and just want to unhide this or whatever, feel free to needinfo me.
Keywords: sec-highsec-moderate
https://hg.mozilla.org/mozilla-central/rev/b5490c8cf899
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Doesn't sound like it's worth taking in 57 at this point, but leaving ESR52 set to affected for consideration during the next (52.6) cycle.
status-firefox57: affectedwontfix
Group: gfx-core-security → core-security-release
Please request ESR52 approval on this when you get a chance.
Flags: needinfo?(lsalzman)
Comment on attachment 8923986 [details] [diff] [review]
pad Mac font data when checksumming

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Possible memory overreads and crashes on macOS when using bad/malicious fonts.
Fix Landed on Version: 58
Risk to taking this patch (and alternatives if risky): none
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Flags: needinfo?(lsalzman)
Attachment #8923986 - Flags: approval-mozilla-esr52?
Hi Al, based on the previous update from you, are you recommending we wontfix this in ESR52.6?
Flags: needinfo?(abillings)
It is a sec-moderate. We don't take sec-moderates on ESR branches without an overriding reason normally.
Flags: needinfo?(abillings)
Comment on attachment 8923986 [details] [diff] [review]
pad Mac font data when checksumming

Since this is a sec-mod (and Al's reply), we can let this fix ride the ESR60 train, it's now a wontfix for ESR52.
Attachment #8923986 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52-
Flags: qe-verify-
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: