Closed
Bug 753230
Opened 13 years ago
Closed 13 years ago
Graphite 2 crash [@graphite2::Silf::readClassMap]
Categories
(Core :: Graphics, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [asan][sg:high][advisory-tracking+])
Attachments
(3 files)
No description provided.
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
now fixed in repo. Thanks. BTW I would class all the bugs found so far as impossible to exploit for security purposes. Most have been off by 1 type errors.
|
|
Reporter | |
Comment 3•13 years ago
|
||
Off-by-N does not classify bugs which are impossible to exploit.
|
||
Comment 4•13 years ago
|
||
(In reply to martin_hosken from comment #2)
> now fixed in repo.
Whose repo? Upstream? mozilla-central? What steps stand between now and this bug being fixed in a mozilla-central release, and who should be assigned to do it?
Looks like there's only 8 lines between the alloc and bad read. Is the bad read only in the loop checking the invariants being off, but everywhere else gets the math right? Or is it trusting the data and somewhere else does, too? Somewhere between there is the difference between exploitable and not, so I guess we wait to see the patch before we can classify things for sure.
Keywords: sec-high
Whiteboard: [asan][sec-critical] → [asan][sg:high]
|
Assignee | |
Comment 5•13 years ago
|
||
He means it's fixed in the upstream graphite repository. I'll take care of getting the patch into mozilla-central within a few days, unless someone else jumps in first.
|
||
Comment 6•13 years ago
|
||
Jonathan, friendly ping :)
|
|
Assignee | |
Comment 7•13 years ago
|
||
This is to pick up the most recent fuzzbug-fixes from upstream, specifically this issue and bug 753623.
Tryserver build at https://tbpl.mozilla.org/?tree=Try&rev=4a8f82ece1ed confirms that it still builds happily.
Assignee: nobody → jfkthame
Attachment #625139 -
Flags: review?(jdaggett)
|
||
Updated•13 years ago
|
Attachment #625139 -
Flags: review?(jdaggett) → review+
|
|
Assignee | |
Comment 8•13 years ago
|
||
Target Milestone: --- → mozilla15
|
||
Comment 9•13 years ago
|
||
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•12 years ago
|
Whiteboard: [asan][sg:high] → [asan][sg:high][advisory-tracking+]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•