Closed Bug 1704316 Opened 3 years ago Closed 3 years ago

heap-buffer-overflow in [@ cairo_type1_font_subset_for_each_glyph] while printing

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main90+r])

Attachments

(1 file)

testcase.html
108 bytes, text/html
Details
Attached file testcase.html

First found while fuzzing m-c 20210410-05337140272c (--enable-address-sanitizer --enable-fuzzing)

==10594==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc888247c0c at pc 0x55c5e99e6da7 bp 0x7fffcf2fbbb0 sp 0x7fffcf2fb368
READ of size 652 at 0x7fc888247c0c thread T0
    #0 0x55c5e99e6da6 in StrtolFixAndCheck(void*, char const*, char**, char*, int) /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3410:3
    #1 0x55c5e9a1cfc6 in strtol /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:497:3
    #2 0x7fc8a0da417e in cairo_type1_font_subset_for_each_glyph /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:972:22
    #3 0x7fc8a0da1d0e in cairo_type1_font_subset_write_private_dict /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1060:14
    #4 0x7fc8a0da1d0e in cairo_type1_font_subset_write /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1202:14
    #5 0x7fc8a0da1d0e in cairo_type1_font_subset_generate /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1268:14
    #6 0x7fc8a0da1d0e in _cairo_type1_subset_init /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1340:14
    #7 0x7fc8a0d6d077 in _cairo_pdf_surface_emit_type1_font_subset /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4189:14
    #8 0x7fc8a0d6d077 in _cairo_pdf_surface_emit_unscaled_font_subset /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4663:18
    #9 0x7fc8a0e2e06b in _cairo_sub_font_collect /gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:590:30
    #10 0x7fc8a0e2e06b in _cairo_scaled_font_subsets_foreach_internal /gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:904:6
    #11 0x7fc8a0d67ddd in _cairo_pdf_surface_emit_font_subsets /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4704:14
    #12 0x7fc8a0d67ddd in _cairo_pdf_surface_finish /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:1626:11
    #13 0x7fc8a0e50011 in _moz_cairo_surface_finish /gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11
    #14 0x7fc8a0dfe74f in _cairo_paginated_surface_finish /gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:173:2
    #15 0x7fc8a0e50011 in _moz_cairo_surface_finish /gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11
    #16 0x7fc89a19c633 in mozilla::gfx::PrintTargetPDF::Finish() /gecko/gfx/thebes/PrintTargetPDF.cpp:74:16
    #17 0x7fc899b04db1 in nsDeviceContext::EndDocument() /gecko/gfx/src/nsDeviceContext.cpp:546:19
    #18 0x7fc89fc26a9d in mozilla::layout::RemotePrintJobParent::RecvFinalizePrint() /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:199:51
    #19 0x7fc898f48b73 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:321:28
    #20 0x7fc898af06b3 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6592:32
    #21 0x7fc898818b0a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2154:25
    #22 0x7fc89881502e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2078:9
    #23 0x7fc8988169e8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1926:3
    #24 0x7fc89881754b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1957:13
    #25 0x7fc8975eed86 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:470:16
    #26 0x7fc8975b4f43 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:754:26
    #27 0x7fc8975b2a87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:609:15
    #28 0x7fc8975b2edd in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:393:36
    #29 0x7fc8975f8391 in operator() /gecko/xpcom/threads/TaskController.cpp:133:37
    #30 0x7fc8975f8391 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #31 0x7fc8975d11b3 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #32 0x7fc8975dc0dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #33 0x7fc89882043f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #34 0x7fc89872a631 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #35 0x7fc89872a631 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #36 0x7fc89872a631 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #37 0x7fc89ee65bd7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #38 0x7fc8a2764937 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
    #39 0x7fc8a296b22f in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5348:22
    #40 0x7fc8a296d756 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5539:8
    #41 0x7fc8a296e533 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5598:21
    #42 0x55c5e9a63902 in do_main /gecko/browser/app/nsBrowserApp.cpp:220:22
    #43 0x55c5e9a63902 in main /gecko/browser/app/nsBrowserApp.cpp:347:16
    #44 0x7fc8b7ab40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #45 0x55c5e99b68b9 in _start (/home/worker/builds/m-c-20210410091448-fuzzing-asan-opt/firefox+0x5a8b9)

0x7fc888247c0c is located 0 bytes to the right of 132108-byte region [0x7fc888227800,0x7fc888247c0c)
allocated by thread T0 here:
    #0 0x55c5e9a3074d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7fc8a0da0e0e in cairo_type1_font_subset_decrypt_eexec_segment /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:476:23
    #2 0x7fc8a0da0e0e in cairo_type1_font_subset_write /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1183:14
    #3 0x7fc8a0da0e0e in cairo_type1_font_subset_generate /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1268:14
    #4 0x7fc8a0da0e0e in _cairo_type1_subset_init /gecko/gfx/cairo/cairo/src/cairo-type1-subset.c:1340:14
    #5 0x7fc8a0d6d077 in _cairo_pdf_surface_emit_type1_font_subset /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4189:14
    #6 0x7fc8a0d6d077 in _cairo_pdf_surface_emit_unscaled_font_subset /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4663:18
    #7 0x7fc8a0e2e06b in _cairo_sub_font_collect /gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:590:30
    #8 0x7fc8a0e2e06b in _cairo_scaled_font_subsets_foreach_internal /gecko/gfx/cairo/cairo/src/cairo-scaled-font-subsets.c:904:6
    #9 0x7fc8a0d67ddd in _cairo_pdf_surface_emit_font_subsets /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:4704:14
    #10 0x7fc8a0d67ddd in _cairo_pdf_surface_finish /gecko/gfx/cairo/cairo/src/cairo-pdf-surface.c:1626:11
    #11 0x7fc8a0e50011 in _moz_cairo_surface_finish /gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11
    #12 0x7fc8a0dfe74f in _cairo_paginated_surface_finish /gecko/gfx/cairo/cairo/src/cairo-paginated-surface.c:173:2
    #13 0x7fc8a0e50011 in _moz_cairo_surface_finish /gecko/gfx/cairo/cairo/src/cairo-surface.c:728:11
    #14 0x7fc89a19c633 in mozilla::gfx::PrintTargetPDF::Finish() /gecko/gfx/thebes/PrintTargetPDF.cpp:74:16
    #15 0x7fc899b04db1 in nsDeviceContext::EndDocument() /gecko/gfx/src/nsDeviceContext.cpp:546:19
    #16 0x7fc89fc26a9d in mozilla::layout::RemotePrintJobParent::RecvFinalizePrint() /gecko/layout/printing/ipc/RemotePrintJobParent.cpp:199:51
    #17 0x7fc898f48b73 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:321:28
    #18 0x7fc898af06b3 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6592:32
    #19 0x7fc898818b0a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2154:25
    #20 0x7fc89881502e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2078:9
    #21 0x7fc8988169e8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1926:3
    #22 0x7fc89881754b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1957:13
    #23 0x7fc8975eed86 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:470:16
    #24 0x7fc8975b4f43 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:754:26
    #25 0x7fc8975b2a87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:609:15
Flags: in-testsuite?

It's possible the cairo update I'm hoping to achieve in bug 739096 might address this -- we should re-test once that is ready.

Tyson, could you confirm whether this is still an issue, or did bug 739096 fix it? Thanks!

Flags: needinfo?(twsmith)

Looks fixed to me. I am not able to reproduce with the attached test case. It was last reported by fuzzers running m-c 20210420-a916ade0ae29.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED

Is this testcase still worth landing?

Assignee: nobody → jfkthame
Group: gfx-core-security → core-security-release
status-firefox88: --- → wontfix
status-firefox89: fix-optionalwontfix
status-firefox90: affectedfixed
status-firefox-esr78: --- → wontfix
Depends on: 739096
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+
Whiteboard: [adv-main90+r]
Group: core-security-release

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211123033957-ba4d4963c38b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

:jfkthame, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jfkthame)

AFAICS this wasn't a regression, just an old bug the fuzzers found.

Flags: needinfo?(jfkthame)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: