New issue
Advanced search Search tips
Starred by 0 users
Status: Fixed
Owner:
Closed: Dec 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Heap-buffer-overflow in _HB_GDEF_Check_Property
Project Member Reported by infe...@chromium.org, Oct 5 2012 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=120681600

Fuzzer: Cris_inferno_crash_url

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x7f8a0f319b30
Crash State:
  - crash stack -
  _HB_GDEF_Check_Property
  GPOS_Do_Glyph_Lookup
  HB_GPOS_Apply_String
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982

Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AYHjuemm_8l401J6x8FFmbHjSeH5ULMsHXInreeSrvibeOHC5YmMAyaSwecAt5SaznvJ2axSXLwts0mXkGYsSAHxibCxKd7hquED_cLvmtujX86GcpqTnoyCZF9mp71ykgnFLMtNMS3dHMy0Uz6tQcTfIx-NlpoRjgvd1MWBrJKJQf6s
 
Owner: bashi@chromium.org
Status: Assigned
Project Member Comment 2 by clusterf...@chromium.org, Oct 13 2012
ClusterFuzz has detected this issue as fixed in range 161671:161683.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=120681600

Fuzzer: Cris_inferno_crash_url

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x7f8a0f319b30
Crash State:
  - crash stack -
  _HB_GDEF_Check_Property
  GPOS_Do_Glyph_Lookup
  HB_GPOS_Apply_String
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982
Fixed: https://cluster-fuzz.appspot.com/revisions?range=161671:161683

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97AYHjuemm_8l401J6x8FFmbHjSeH5ULMsHXInreeSrvibeOHC5YmMAyaSwecAt5SaznvJ2axSXLwts0mXkGYsSAHxibCxKd7hquED_cLvmtujX86GcpqTnoyCZF9mp71ykgnFLMtNMS3dHMy0Uz6tQcTfIx-NlpoRjgvd1MWBrJKJQf6s

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: Merge-Approved
Status: FixUnreleased
looks like switch to harfbuff-ng fixed it https://trac.webkit.org/changeset/131134/. will it easy to merge to m23 Kenichi ?
Comment 4 by bashi@chromium.org, Oct 15 2012
This should be fixed by the switch, but I think it's hard to merge to m23 because another 10+ patches should also be merged. This transition affects complex text rendering so I'd like to handle this transition carefully.

Labels: -Restrict-View-SecurityTeam -Mstone-22 -Merge-Approved Restrict-View-SecurityNotify Mstone-24
M24 seems fine, then. Tagging accordingly.
Labels: Release-0
Comment 7 by jsc...@chromium.org, Dec 20 2012
Status: Fixed
Labels: CVE-2013-0834
Project Member Comment 9 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-24 -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-24 Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member Comment 11 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 12 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 13 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 14 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 15 by bugdroid1@chromium.org, Apr 5 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 16 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 17 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 18 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment