Created attachment 622274 [details]
Created attachment 622275 [details]
now fixed in repo. Thanks. BTW I would class all the bugs found so far as impossible to exploit for security purposes. Most have been off by 1 type errors.
Off-by-N does not classify bugs which are impossible to exploit.
(In reply to martin_hosken from comment #2)
> now fixed in repo.
Whose repo? Upstream? mozilla-central? What steps stand between now and this bug being fixed in a mozilla-central release, and who should be assigned to do it?
Looks like there's only 8 lines between the alloc and bad read. Is the bad read only in the loop checking the invariants being off, but everywhere else gets the math right? Or is it trusting the data and somewhere else does, too? Somewhere between there is the difference between exploitable and not, so I guess we wait to see the patch before we can classify things for sure.
He means it's fixed in the upstream graphite repository. I'll take care of getting the patch into mozilla-central within a few days, unless someone else jumps in first.
Jonathan, friendly ping :)
Created attachment 625139 [details] [diff] [review]
patch, update graphite2 to upstream rev 978:c418207451a7
This is to pick up the most recent fuzzbug-fixes from upstream, specifically this issue and bug 753623.
Tryserver build at https://tbpl.mozilla.org/?tree=Try&rev=4a8f82ece1ed confirms that it still builds happily.