Closed
Bug 752662
Opened 13 years ago
Closed 13 years ago
Graphite 2 use-after-free crash
Categories
(Core :: Graphics, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [asan][sg:high][advisory-tracking+])
Attachments
(3 files)
32.25 KB,
application/zip
|
Details | |
11.18 KB,
text/plain
|
Details | |
1.28 KB,
patch
|
jtd
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The testcase is reproducible with a ASAN enabled build. If necessary, reload the testcase a few times.
If you have not a ASAN enabled build yet, follow the instructions described here: https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
Reporter | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
Fixed in repo. Keep 'em coming :)
Assignee | ||
Comment 3•13 years ago
|
||
Attachment #621912 -
Flags: review?(jdaggett)
Updated•13 years ago
|
Attachment #621912 -
Flags: review?(jdaggett) → review+
Assignee | ||
Comment 4•13 years ago
|
||
Target Milestone: --- → mozilla15
Comment 5•13 years ago
|
||
Assignee: nobody → jfkthame
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox15:
--- → fixed
Resolution: --- → FIXED
Comment 6•13 years ago
|
||
Is the ESR10 branch affected by this sg:high?
Assignee | ||
Comment 7•13 years ago
|
||
No; the graphite lib isn't present there.
Comment 8•13 years ago
|
||
Verified fixed in my May 10 post-fix ASAN build on OS X.
Status: RESOLVED → VERIFIED
Comment 9•13 years ago
|
||
If we have graphite2 in Firefox 13 we need to uplift this patch.
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → affected
status-firefox14:
--- → affected
tracking-firefox13:
--- → +
tracking-firefox14:
--- → +
Assignee | ||
Comment 10•13 years ago
|
||
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository
[Approval Request Comment]
Bug caused by (feature/regressing bug #): graphite font-shaping library
User impact if declined: users who enable graphite may be vulnerable to a crash caused by a malicious/buggy font
Testing completed (on m-c, etc.): see comment #8
Risk to taking this patch (and alternatives if risky): minimal risk, just adds a missing bounds check
String or UUID changes made by this patch: none
Nominating this for aurora (14) on the basis of comment #9.
The patch here doesn't apply to beta (13), because we took a complete graphite refresh for mozilla-14 in bug 746975.
IMO, the security concern here is relatively minor, given that graphite is preffed off by default and only likely to be enabled by a small minority of users with a specific interest in trying it (primarily for "exotic" writing systems). I see no point in trying to backport just this specific patch to the mozilla-13 version; if we're sufficiently concerned about it, we should backport the complete graphite update (but personally I don't think it is important to do so for a preffed-off feature).
Attachment #621912 -
Flags: approval-mozilla-aurora?
Comment 11•13 years ago
|
||
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository
[Triage Comment]
Approving for Aurora 14 given the sg:high rating.
Attachment #621912 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 12•13 years ago
|
||
Transplanted to aurora:
https://hg.mozilla.org/releases/mozilla-aurora/rev/9e96c2d39ced
Assignee | ||
Updated•13 years ago
|
Updated•12 years ago
|
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
Updated•12 years ago
|
Group: core-security
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•