Closed Bug 1786002 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-buffer-overflow [@ mozilla::gfx::COLRFonts::ValidateColorGlyphs] with READ of size 2


(Core :: Graphics: Text, defect)




105 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 --- fixed


(Reporter: decoder, Assigned: jfkthame)




(4 keywords, Whiteboard: [post-critsmash-triage])


(3 files)

The attached testcase crashes on mozilla-central revision e3a7da368f41+.


==20242==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900005e27a at pc 0x7fd53c5bd3fe bp 0x7ffcc84e65b0 sp 0x7ffcc84e65a8
READ of size 2 at 0x62900005e27a thread T0
    #0 0x7fd53c5bd3fd in operator unsigned int gfx/thebes/gfxFontUtils.h:526:53
    #1 0x7fd53c5bd3fd in mozilla::gfx::COLRFonts::ValidateColorGlyphs(hb_blob_t*, hb_blob_t*) gfx/thebes/COLRFonts.cpp:1989:22
    #2 0x7fd536f4b47c in FuzzingRunCOLRv1(unsigned char const*, unsigned long) gfx/tests/fuzz/TestCOLRv1.cpp:46:8
    #3 0x560db1539dae in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
    #13 0x560db1271e78 in _start (objdir-ff-asan-fuzzing/dist/bin/firefox+0xbbe78) (BuildId: 5bdbbc17f615a2048cb00b9001dc6d3a68c1318f)

SUMMARY: AddressSanitizer: heap-buffer-overflow gfx/thebes/gfxFontUtils.h:526:53 in operator unsigned int
Shadow bytes around the buggy address:
  0x0c5280003c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280003c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]
  0x0c5280003c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
  2. Apply patch from bug 1785991 and build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
  3. Run FUZZER=GfxCOLRv1 objdir/dist/bin/firefox test.bin
Attached file Testcase
Group: core-security → gfx-core-security
Component: General → Graphics: Text

This is a regression from part of bug 1740530 (prior to that, we didn't check these indices at all). Fortunately it's relatively low-impact in that we don't actually use the values for anything yet (as CSS font-palette support isn't implemented), so I think the worst that can happen is a potential segfault due to the out-of-bounds read during validation.

Assignee: nobody → jfkthame
Attachment #9290622 - Attachment description: Bug 1786002 - Check bounds of palette indices array. r=#gfx-reviewers → Bug 1786002 - Check palette indices array size. r=#gfx-reviewers
Blocks: 1740525

I'll mark it sec-moderate, though maybe that's too high of a rating.

Group: gfx-core-security → core-security-release
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch

It wasn't actually correct to mark this as "disabled" for 105, as even though COLRv1 support is disabled there, the CPAL table is also used as part of the existing COLR (v0) support. So this issue did potentially affect 105. (It didn't affect earlier versions, as the problematic piece of CPAL validation was only just added.)

Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.