Last Comment Bug 753230 - Graphite 2 crash [@graphite2::Silf::readClassMap]
: Graphite 2 crash [@graphite2::Silf::readClassMap]
Status: VERIFIED FIXED
[asan][sg:high][advisory-tracking+]
: crash, sec-high, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: mozilla15
Assigned To: Jonathan Kew (:jfkthame)
:
Mentors:
Depends on:
Blocks: fuzzing-fonts
  Show dependency treegraph
 
Reported: 2012-05-08 20:30 PDT by Christoph Diehl [:posidron]
Modified: 2012-10-25 17:57 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
unaffected


Attachments
testcase (34.05 KB, application/zip)
2012-05-08 20:30 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (6.76 KB, text/plain)
2012-05-08 20:30 PDT, Christoph Diehl [:posidron]
no flags Details
patch, update graphite2 to upstream rev 978:c418207451a7 (12.49 KB, patch)
2012-05-18 09:31 PDT, Jonathan Kew (:jfkthame)
jd.bugzilla: review+
Details | Diff | Splinter Review

Description Christoph Diehl [:posidron] 2012-05-08 20:30:24 PDT
Created attachment 622274 [details]
testcase
Comment 1 Christoph Diehl [:posidron] 2012-05-08 20:30:45 PDT
Created attachment 622275 [details]
callstack
Comment 2 martin_hosken 2012-05-09 02:09:34 PDT
now fixed in repo. Thanks. BTW I would class all the bugs found so far as impossible to exploit for security purposes. Most have been off by 1 type errors.
Comment 3 Christoph Diehl [:posidron] 2012-05-09 04:56:30 PDT
Off-by-N does not classify bugs which are impossible to exploit.
Comment 4 Daniel Veditz [:dveditz] 2012-05-09 10:31:40 PDT
(In reply to martin_hosken from comment #2)
> now fixed in repo. 

Whose repo? Upstream? mozilla-central? What steps stand between now and this bug being fixed in a mozilla-central release, and who should be assigned to do it?

Looks like there's only 8 lines between the alloc and bad read. Is the bad read only in the loop checking the invariants being off, but everywhere else gets the math right? Or is it trusting the data and somewhere else does, too? Somewhere between there is the difference between exploitable and not, so I guess we wait to see the patch before we can classify things for sure.
Comment 5 Jonathan Kew (:jfkthame) 2012-05-09 11:29:27 PDT
He means it's fixed in the upstream graphite repository. I'll take care of getting the patch into mozilla-central within a few days, unless someone else jumps in first.
Comment 6 David Bolter [:davidb] 2012-05-17 13:34:20 PDT
Jonathan, friendly ping :)
Comment 7 Jonathan Kew (:jfkthame) 2012-05-18 09:31:59 PDT
Created attachment 625139 [details] [diff] [review]
patch, update graphite2 to upstream rev 978:c418207451a7

This is to pick up the most recent fuzzbug-fixes from upstream, specifically this issue and bug 753623.

Tryserver build at https://tbpl.mozilla.org/?tree=Try&rev=4a8f82ece1ed confirms that it still builds happily.
Comment 9 Ed Morley [:emorley] 2012-05-22 06:51:34 PDT
https://hg.mozilla.org/mozilla-central/rev/de36859eb332

Note You need to log in before you can comment on or make changes to this bug.