Closed Bug 1454359 Opened 2 years ago Closed 2 years ago
Cherry-pick more upstream Free
Type oss-fuzz fixes
+++ This bug was initially created as a clone of Bug #1453653 +++ More upstream fixes landed over the weekend for various issues reported by oss-fuzz. http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=827ca3bcf25b9e4dc2edf31381c0774e1d227285 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=235b1e2fe6ca325f449c5a73c75432d62d73f524 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=70ac167c47f5ca966fb578b1f215430f46915a49
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0006232e86669cc44bba7bc709c41a5f55b0b2a2 [Security approval request comment] How easily could an exploit be constructed based on the patch? I have no idea, TBH. The issues were found by oss-fuzz and are referenced in the upstream commits (though access is restricted). Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I left the commit message generic, but obviously someone is free to follow the link to the upstream commits to see that the fixes are likely security-related. Which older supported branches are affected by this flaw? All, though only 59+ in practice where we ship Android builds. If not all supported branches, which bug introduced the flaw? N/A Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Applies cleanly to Beta as-is. How likely is this patch to cause regressions; how much testing does it need? Seems highly unlikely. Android tests are green on the Try push.
Based on the patch I suspect these fix 2 UBSAN errors and a timeout. That is, the integer overflows don't lead to a heap buffer overflow.
Comment on attachment 8968235 [details] [diff] [review] cherry-pick more upstream oss-fuzz fixes Review of attachment 8968235 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, thanks.
Attachment #8968235 - Flags: review?(jfkthame) → review+
Talking to Dan, this seems to really be a sec-low. As such, it doesn't need sec-approval+ to go onto trunk.
Comment on attachment 8968235 [details] [diff] [review] cherry-pick more upstream oss-fuzz fixes Same story as bug 1453653. More FreeType upstream security fixes.
Attachment #8968235 - Flags: approval-mozilla-beta+
...I didn't mean to set that to + there, but got Julien's blessing over IRC to just leave it. https://hg.mozilla.org/releases/mozilla-beta/rev/41236d2e9c29
Whiteboard: [adv-main60+] → [adv-main60+][post-critsmash-triage]
You need to log in before you can comment on or make changes to this bug.