Closed Bug 753230 Opened 12 years ago Closed 12 years ago

Graphite 2 crash [@graphite2::Silf::readClassMap]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox15 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [asan][sg:high][advisory-tracking+])

Attachments

(3 files)

Attached file testcase
      No description provided.
Attached file callstack
now fixed in repo. Thanks. BTW I would class all the bugs found so far as impossible to exploit for security purposes. Most have been off by 1 type errors.
Off-by-N does not classify bugs which are impossible to exploit.
(In reply to martin_hosken from comment #2)
> now fixed in repo. 

Whose repo? Upstream? mozilla-central? What steps stand between now and this bug being fixed in a mozilla-central release, and who should be assigned to do it?

Looks like there's only 8 lines between the alloc and bad read. Is the bad read only in the loop checking the invariants being off, but everywhere else gets the math right? Or is it trusting the data and somewhere else does, too? Somewhere between there is the difference between exploitable and not, so I guess we wait to see the patch before we can classify things for sure.
Keywords: sec-high
Whiteboard: [asan][sec-critical] → [asan][sg:high]
He means it's fixed in the upstream graphite repository. I'll take care of getting the patch into mozilla-central within a few days, unless someone else jumps in first.
Jonathan, friendly ping :)
This is to pick up the most recent fuzzbug-fixes from upstream, specifically this issue and bug 753623.

Tryserver build at https://tbpl.mozilla.org/?tree=Try&rev=4a8f82ece1ed confirms that it still builds happily.
Assignee: nobody → jfkthame
Attachment #625139 - Flags: review?(jdaggett)
Attachment #625139 - Flags: review?(jdaggett) → review+
https://hg.mozilla.org/mozilla-central/rev/de36859eb332
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.