Closed
Bug 1358551
(CVE-2017-7777)
Opened 7 years ago
Closed 7 years ago
Graphite2: use of uninitialized memory [@ graphite2::GlyphCache::Loader::read_glyph]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: tsmith, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uninitialized, sec-high, testcase, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])
Attachments
(3 files)
|
323.50 KB,
application/x-font-ttf
|
Details | |
|
38.43 KB,
text/plain
|
Details | |
|
1.31 KB,
patch
|
Details | Diff | Splinter Review |
Found while fuzzing graphite commit 0646e4e The attached test cases triggers multiple instances of uninitialized memory usage. See attached log for full report. To reproduce: valgrind -q --track-origins=yes ./gr2fonttest test_case.ttf Conditional jump or move depends on uninitialised value(s) at 0x4130AB: sparse<(anonymous namespace)::_glat_iterator<unsigned short> > (Sparse.h:107) by 0x4130AB: GlyphFace<(anonymous namespace)::_glat_iterator<unsigned short> > (GlyphFace.h:74) by 0x4130AB: graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const (GlyphCache.cpp:423) by 0x411FD7: graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) (GlyphCache.cpp:142) by 0x40C7D1: graphite2::Face::readGlyphs(unsigned int) (Face.cpp:98) by 0x407A67: load_face (gr_face.cpp:54) by 0x407A67: gr_make_face_with_ops (gr_face.cpp:89) by 0x4089B8: gr_make_file_face (gr_face.cpp:242) by 0x405111: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x406286: main (gr2FontTest.cpp:802) Uninitialised value was created by a heap allocation at 0x4C2DBB6: malloc (vg_replace_malloc.c:299) by 0x40DBB8: gralloc<unsigned char> (Main.h:88) by 0x40DBB8: graphite2::Face::Table::decompress() (Face.cpp:333) by 0x40D85A: graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) (Face.cpp:292) by 0x414575: graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) (GlyphCache.cpp:270) by 0x411A9F: graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) (GlyphCache.cpp:118) by 0x40C7D1: graphite2::Face::readGlyphs(unsigned int) (Face.cpp:98) by 0x407A67: load_face (gr_face.cpp:54) by 0x407A67: gr_make_face_with_ops (gr_face.cpp:89) by 0x4089B8: gr_make_file_face (gr_face.cpp:242) by 0x405111: Parameters::testFileFont() const (gr2FontTest.cpp:639) by 0x406286: main (gr2FontTest.cpp:802)
|
Reporter | |
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
Fixes decompressor to not copy uninitialised data. Also added some protections in read_glyph.
|
|
Reporter | |
Comment 3•7 years ago
|
||
Verified fixed in graphite-security commit bb24c61
|
Assignee | |
Comment 4•7 years ago
|
||
Should be fixed by the patch landed in bug 1349310.
Depends on: CVE-2017-7778
|
||
Comment 5•7 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #3) > Verified fixed in graphite-security commit bb24c61 (In reply to Jonathan Kew (:jfkthame) from comment #4) > Should be fixed by the patch landed in bug 1349310.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Assignee: nobody → jfkthame
status-firefox53:
--- → wontfix
status-firefox54:
--- → fixed
status-firefox55:
--- → fixed
status-firefox-esr45:
--- → wontfix
status-firefox-esr52:
--- → fixed
Target Milestone: --- → mozilla55
|
||
Updated•7 years ago
|
Group: gfx-core-security → core-security-release
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•7 years ago
|
tracking-firefox-esr52:
--- → 54+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
|
|
||
Updated•7 years ago
|
Alias: CVE-2017-7777
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•