Last Comment Bug 753230 - Graphite 2 crash [@graphite2::Silf::readClassMap]
: Graphite 2 crash [@graphite2::Silf::readClassMap]
: crash, sec-high, testcase
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
-- critical (vote)
: mozilla15
Assigned To: Jonathan Kew (:jfkthame)
: Milan Sreckovic [:milan]
Depends on:
Blocks: fuzzing-fonts
  Show dependency treegraph
Reported: 2012-05-08 20:30 PDT by Christoph Diehl [:posidron]
Modified: 2012-10-25 17:57 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (34.05 KB, application/zip)
2012-05-08 20:30 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (6.76 KB, text/plain)
2012-05-08 20:30 PDT, Christoph Diehl [:posidron]
no flags Details
patch, update graphite2 to upstream rev 978:c418207451a7 (12.49 KB, patch)
2012-05-18 09:31 PDT, Jonathan Kew (:jfkthame)
jd.bugzilla: review+
Details | Diff | Splinter Review

Description User image Christoph Diehl [:posidron] 2012-05-08 20:30:24 PDT
Created attachment 622274 [details]
Comment 1 User image Christoph Diehl [:posidron] 2012-05-08 20:30:45 PDT
Created attachment 622275 [details]
Comment 2 User image martin_hosken 2012-05-09 02:09:34 PDT
now fixed in repo. Thanks. BTW I would class all the bugs found so far as impossible to exploit for security purposes. Most have been off by 1 type errors.
Comment 3 User image Christoph Diehl [:posidron] 2012-05-09 04:56:30 PDT
Off-by-N does not classify bugs which are impossible to exploit.
Comment 4 User image Daniel Veditz [:dveditz] 2012-05-09 10:31:40 PDT
(In reply to martin_hosken from comment #2)
> now fixed in repo. 

Whose repo? Upstream? mozilla-central? What steps stand between now and this bug being fixed in a mozilla-central release, and who should be assigned to do it?

Looks like there's only 8 lines between the alloc and bad read. Is the bad read only in the loop checking the invariants being off, but everywhere else gets the math right? Or is it trusting the data and somewhere else does, too? Somewhere between there is the difference between exploitable and not, so I guess we wait to see the patch before we can classify things for sure.
Comment 5 User image Jonathan Kew (:jfkthame) 2012-05-09 11:29:27 PDT
He means it's fixed in the upstream graphite repository. I'll take care of getting the patch into mozilla-central within a few days, unless someone else jumps in first.
Comment 6 User image David Bolter [:davidb] 2012-05-17 13:34:20 PDT
Jonathan, friendly ping :)
Comment 7 User image Jonathan Kew (:jfkthame) 2012-05-18 09:31:59 PDT
Created attachment 625139 [details] [diff] [review]
patch, update graphite2 to upstream rev 978:c418207451a7

This is to pick up the most recent fuzzbug-fixes from upstream, specifically this issue and bug 753623.

Tryserver build at confirms that it still builds happily.
Comment 9 User image Ed Morley [:emorley] 2012-05-22 06:51:34 PDT

Note You need to log in before you can comment on or make changes to this bug.