Last Comment Bug 752662 - Graphite 2 use-after-free crash
: Graphite 2 use-after-free crash
Status: VERIFIED FIXED
[asan][sg:high][advisory-tracking+]
: crash, sec-high, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: mozilla15
Assigned To: Jonathan Kew (:jfkthame)
:
Mentors:
Depends on:
Blocks: fuzzing-fonts
  Show dependency treegraph
 
Reported: 2012-05-07 13:32 PDT by Christoph Diehl [:posidron]
Modified: 2012-07-20 18:29 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
affected
+
fixed
fixed
unaffected


Attachments
testcase (32.25 KB, application/zip)
2012-05-07 13:32 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (11.18 KB, text/plain)
2012-05-07 13:32 PDT, Christoph Diehl [:posidron]
no flags Details
patch, cherry-pick fix from graphite repository (1.28 KB, patch)
2012-05-08 01:32 PDT, Jonathan Kew (:jfkthame)
jd.bugzilla: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review

Description Christoph Diehl [:posidron] 2012-05-07 13:32:10 PDT
Created attachment 621710 [details]
testcase

The testcase is reproducible with a ASAN enabled build. If necessary, reload the testcase a few times. 

If you have not a ASAN enabled build yet, follow the instructions described here: https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
Comment 1 Christoph Diehl [:posidron] 2012-05-07 13:32:38 PDT
Created attachment 621711 [details]
callstack
Comment 2 martin_hosken 2012-05-07 19:51:17 PDT
Fixed in repo. Keep 'em coming :)
Comment 3 Jonathan Kew (:jfkthame) 2012-05-08 01:32:50 PDT
Created attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository
Comment 5 Ed Morley [:emorley] 2012-05-10 07:37:14 PDT
https://hg.mozilla.org/mozilla-central/rev/8789a1dc555d
Comment 6 Alex Keybl [:akeybl] 2012-05-10 16:36:54 PDT
Is the ESR10 branch affected by this sg:high?
Comment 7 Jonathan Kew (:jfkthame) 2012-05-10 23:46:55 PDT
No; the graphite lib isn't present there.
Comment 8 Al Billings [:abillings] 2012-05-14 13:52:03 PDT
Verified fixed in my May 10 post-fix ASAN build on OS X.
Comment 9 Daniel Veditz [:dveditz] 2012-05-17 17:03:33 PDT
If we have graphite2 in Firefox 13 we need to uplift this patch.
Comment 10 Jonathan Kew (:jfkthame) 2012-05-18 09:26:28 PDT
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository

[Approval Request Comment]
Bug caused by (feature/regressing bug #): graphite font-shaping library

User impact if declined: users who enable graphite may be vulnerable to a crash caused by a malicious/buggy font

Testing completed (on m-c, etc.): see comment #8

Risk to taking this patch (and alternatives if risky): minimal risk, just adds a missing bounds check

String or UUID changes made by this patch: none

Nominating this for aurora (14) on the basis of comment #9.

The patch here doesn't apply to beta (13), because we took a complete graphite refresh for mozilla-14 in bug 746975.

IMO, the security concern here is relatively minor, given that graphite is preffed off by default and only likely to be enabled by a small minority of users with a specific interest in trying it (primarily for "exotic" writing systems). I see no point in trying to backport just this specific patch to the mozilla-13 version; if we're sufficiently concerned about it, we should backport the complete graphite update (but personally I don't think it is important to do so for a preffed-off feature).
Comment 11 Alex Keybl [:akeybl] 2012-05-18 15:53:10 PDT
Comment on attachment 621912 [details] [diff] [review]
patch, cherry-pick fix from graphite repository

[Triage Comment]
Approving for Aurora 14 given the sg:high rating.
Comment 12 Jonathan Kew (:jfkthame) 2012-05-19 00:59:40 PDT
Transplanted to aurora:
https://hg.mozilla.org/releases/mozilla-aurora/rev/9e96c2d39ced

Note You need to log in before you can comment on or make changes to this bug.