AddressSanitizer: heap-buffer-overflow [@ mozilla::gfx::COLRFonts::ValidateColorGlyphs] with READ of size 2
Categories
(Core :: Graphics: Text, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox103 | --- | unaffected |
firefox104 | --- | unaffected |
firefox105 | --- | fixed |
People
(Reporter: decoder, Assigned: jfkthame)
References
(Regression)
Details
(4 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision e3a7da368f41+.
Backtrace:
==20242==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900005e27a at pc 0x7fd53c5bd3fe bp 0x7ffcc84e65b0 sp 0x7ffcc84e65a8
READ of size 2 at 0x62900005e27a thread T0
#0 0x7fd53c5bd3fd in operator unsigned int gfx/thebes/gfxFontUtils.h:526:53
#1 0x7fd53c5bd3fd in mozilla::gfx::COLRFonts::ValidateColorGlyphs(hb_blob_t*, hb_blob_t*) gfx/thebes/COLRFonts.cpp:1989:22
#2 0x7fd536f4b47c in FuzzingRunCOLRv1(unsigned char const*, unsigned long) gfx/tests/fuzz/TestCOLRv1.cpp:46:8
#3 0x560db1539dae in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
[...]
#13 0x560db1271e78 in _start (objdir-ff-asan-fuzzing/dist/bin/firefox+0xbbe78) (BuildId: 5bdbbc17f615a2048cb00b9001dc6d3a68c1318f)
SUMMARY: AddressSanitizer: heap-buffer-overflow gfx/thebes/gfxFontUtils.h:526:53 in operator unsigned int
Shadow bytes around the buggy address:
0x0c5280003c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280003c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]
0x0c5280003c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
==20242==ABORTING
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
- Apply patch from bug 1785991 and build with
--enable-fuzzing
(requires Clang and ASan, also build gtests using./mach gtest dontruntests
). - Run
FUZZER=GfxCOLRv1 objdir/dist/bin/firefox test.bin
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
This is a regression from part of bug 1740530 (prior to that, we didn't check these indices at all). Fortunately it's relatively low-impact in that we don't actually use the values for anything yet (as CSS font-palette support isn't implemented), so I think the worst that can happen is a potential segfault due to the out-of-bounds read during validation.
Assignee | ||
Comment 4•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 5•2 years ago
|
||
I'll mark it sec-moderate, though maybe that's too high of a rating.
Comment 6•2 years ago
|
||
Check palette indices array size. r=gfx-reviewers,lsalzman
https://hg.mozilla.org/integration/autoland/rev/c9c314795ae822a3034f4626feafe2a65968e461
https://hg.mozilla.org/mozilla-central/rev/c9c314795ae8
Assignee | ||
Comment 7•2 years ago
|
||
It wasn't actually correct to mark this as "disabled" for 105, as even though COLRv1 support is disabled there, the CPAL table is also used as part of the existing COLR (v0) support. So this issue did potentially affect 105. (It didn't affect earlier versions, as the problematic piece of CPAL validation was only just added.)
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•