Malformed Silf table in Graphite leads to crash [@graphite2::vm::Code::release_buffers]

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: posidron, Unassigned)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox6 unaffected, firefox7- unaffected, firefox8- unaffected, firefox9- unaffected, firefox10+ verified, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical?][qa!])

Attachments

(2 attachments)

Reporter

Description

8 years ago
Posted file testcase
No description provided.
Reporter

Comment 1

8 years ago
Posted file callstack
Reporter

Updated

8 years ago
Blocks: 681976

Comment 2

8 years ago
Fixed in repo. Thanks for finding a class of bug we hadn't checked for in our fuzz testing. Running a long fuzz test in that area now to flush out any more.
This fix is included in the latest version of the graphite2 code in bug 631479 part 1 (attachment 556272 [details] [diff] [review]).
Depends on: 631479
Whiteboard: [sg:critical?]
Given comment 3 should we mark this bug "fixed" then? it's not actually in the Firefox product and now won't be.
Marking "fixed" as per comments 3 and 4 - the bug never actually landed in our tree, and is now fixed upstream and in our under-review patch.

Not sure why this is marked as "status-firefox9: affected", therefore?
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] → [sg:critical?][qa+]
No crash in 10.0b2 on Mac OS X. 

As I understand it, there's no prior build to observe crash, so marking verified in Fx 10 and closing out QA verification flag.
Whiteboard: [sg:critical?][qa+] → [sg:critical?][qa!]
Group: core-security
Reporter

Updated

7 years ago
You need to log in before you can comment on or make changes to this bug.