Last Comment Bug 752662 - Graphite 2 use-after-free crash
: Graphite 2 use-after-free crash
: crash, csectype-uaf, sec-high, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
-- critical (vote)
: mozilla15
Assigned To: Jonathan Kew (:jfkthame)
: Milan Sreckovic [:milan]
Depends on:
Blocks: fuzzing-fonts
  Show dependency treegraph
Reported: 2012-05-07 13:32 PDT by Christoph Diehl [:posidron]
Modified: 2016-12-01 13:31 PST (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (32.25 KB, application/zip)
2012-05-07 13:32 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (11.18 KB, text/plain)
2012-05-07 13:32 PDT, Christoph Diehl [:posidron]
no flags Details
patch, cherry-pick fix from graphite repository (1.28 KB, patch)
2012-05-08 01:32 PDT, Jonathan Kew (:jfkthame)
jd.bugzilla: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description User image Christoph Diehl [:posidron] 2012-05-07 13:32:10 PDT
Created attachment 621710 [details]

The testcase is reproducible with a ASAN enabled build. If necessary, reload the testcase a few times. 

If you have not a ASAN enabled build yet, follow the instructions described here:
Comment 1 User image Christoph Diehl [:posidron] 2012-05-07 13:32:38 PDT
Created attachment 621711 [details]
Comment 2 User image martin_hosken 2012-05-07 19:51:17 PDT
Fixed in repo. Keep 'em coming :)
Comment 3 User image Jonathan Kew (:jfkthame) 2012-05-08 01:32:50 PDT
Created attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository
Comment 5 User image Ed Morley [:emorley] 2012-05-10 07:37:14 PDT
Comment 6 User image Alex Keybl [:akeybl] 2012-05-10 16:36:54 PDT
Is the ESR10 branch affected by this sg:high?
Comment 7 User image Jonathan Kew (:jfkthame) 2012-05-10 23:46:55 PDT
No; the graphite lib isn't present there.
Comment 8 User image Al Billings [:abillings] 2012-05-14 13:52:03 PDT
Verified fixed in my May 10 post-fix ASAN build on OS X.
Comment 9 User image Daniel Veditz [:dveditz] 2012-05-17 17:03:33 PDT
If we have graphite2 in Firefox 13 we need to uplift this patch.
Comment 10 User image Jonathan Kew (:jfkthame) 2012-05-18 09:26:28 PDT
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository

[Approval Request Comment]
Bug caused by (feature/regressing bug #): graphite font-shaping library

User impact if declined: users who enable graphite may be vulnerable to a crash caused by a malicious/buggy font

Testing completed (on m-c, etc.): see comment #8

Risk to taking this patch (and alternatives if risky): minimal risk, just adds a missing bounds check

String or UUID changes made by this patch: none

Nominating this for aurora (14) on the basis of comment #9.

The patch here doesn't apply to beta (13), because we took a complete graphite refresh for mozilla-14 in bug 746975.

IMO, the security concern here is relatively minor, given that graphite is preffed off by default and only likely to be enabled by a small minority of users with a specific interest in trying it (primarily for "exotic" writing systems). I see no point in trying to backport just this specific patch to the mozilla-13 version; if we're sufficiently concerned about it, we should backport the complete graphite update (but personally I don't think it is important to do so for a preffed-off feature).
Comment 11 User image Alex Keybl [:akeybl] 2012-05-18 15:53:10 PDT
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository

[Triage Comment]
Approving for Aurora 14 given the sg:high rating.
Comment 12 User image Jonathan Kew (:jfkthame) 2012-05-19 00:59:40 PDT
Transplanted to aurora:

Note You need to log in before you can comment on or make changes to this bug.