Closed Bug 1454359 Opened 2 years ago Closed 2 years ago

Cherry-pick more upstream FreeType oss-fuzz fixes


(Core :: Graphics: Text, defect, P1, critical)




Tracking Status
firefox-esr52 --- disabled
firefox59 --- wontfix
firefox60 + fixed
firefox61 + fixed


(Reporter: RyanVM, Assigned: RyanVM)


(Keywords: csectype-intoverflow, csectype-undefined, sec-low, Whiteboard: [adv-main60+][post-critsmash-triage])


(1 file)

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I have no idea, TBH. The issues were found by oss-fuzz and are referenced in the upstream commits (though access is restricted).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
I left the commit message generic, but obviously someone is free to follow the link to the upstream commits to see that the fixes are likely security-related.

Which older supported branches are affected by this flaw?
All, though only 59+ in practice where we ship Android builds.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Applies cleanly to Beta as-is.

How likely is this patch to cause regressions; how much testing does it need?
Seems highly unlikely. Android tests are green on the Try push.
Attachment #8968235 - Flags: sec-approval?
Attachment #8968235 - Flags: review?(jfkthame)
Based on the patch I suspect these fix 2 UBSAN errors and a timeout. That is, the integer overflows don't lead to a heap buffer overflow.
Comment on attachment 8968235 [details] [diff] [review]
cherry-pick more upstream oss-fuzz fixes

Review of attachment 8968235 [details] [diff] [review]:

LGTM, thanks.
Attachment #8968235 - Flags: review?(jfkthame) → review+
Priority: -- → P1
Talking to Dan, this seems to really be a sec-low. As such, it doesn't need sec-approval+ to go onto trunk.
Keywords: sec-low
Attachment #8968235 - Flags: sec-approval?
Comment on attachment 8968235 [details] [diff] [review]
cherry-pick more upstream oss-fuzz fixes

Same story as bug 1453653. More FreeType upstream security fixes.
Attachment #8968235 - Flags: approval-mozilla-beta+
...I didn't mean to set that to + there, but got Julien's blessing over IRC to just leave it.
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Group: gfx-core-security → core-security-release
Whiteboard: [adv-main60+]
Flags: qe-verify-
Whiteboard: [adv-main60+] → [adv-main60+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.