New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Global-buffer-overflow in hb_indic_get_categories

Project Member Reported by ClusterFuzz, Jan 11 2015

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4543635516293120

Fuzzer: Inferno_twister
Job Type: Linux_asan_content_shell_drt

Crash Type: Global-buffer-overflow READ 2
Crash Address: 0x00000aec4810
Crash State:
  hb_indic_get_categories
  set_indic_properties
  setup_masks_indic
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=284099:284275

Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UWO0yuEPES1kTZkvYEAva3JbTNkMzi5j4lRCxRDdebtFvQ3BTjCflmKFJ5DNoZfn-MfgWeAtl0VFIxSocQKo1w5WZRRDNrelJDDYmHHk5bxKE1Uu3HJvxnxDziR1me0no5KerZkSnHe4vk18EgOUE68cNDA

Filer: inferno
 
Owner: dominik....@intel.com
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Jan 11 2015

Labels: Pri-1
Labels: -Security_Impact-Head Security_Impact-Stable M-41
Based on the regression range, this seems like an old bug. I'm able to reproduce it in r297060, so changing the impact flag.
Cc: behdad@chromium.org e...@chromium.org
Behdad, could you perhaps take a look?

Comment 5 by behdad@chromium.org, Jan 18 2015

Fixed in:

  https://github.com/behdad/harfbuzz/commit/1aaa7d6799b42b392dd191d3c12011721ef99e74

We should take an update soon.  This is rather low-risk though.
Project Member

Comment 6 by ClusterFuzz, Feb 8 2015

Labels: Nag
dominik.rottsches@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 7 by ClusterFuzz, Feb 14 2015

ClusterFuzz has detected this issue as fixed in range 315751:316173.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4543635516293120

Fuzzer: Inferno_twister
Job Type: Linux_asan_content_shell_drt

Crash Type: Global-buffer-overflow READ 2
Crash Address: 0x00000aec4810
Crash State:
  hb_indic_get_categories
  set_indic_properties
  setup_masks_indic
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=315751:316173

Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UWO0yuEPES1kTZkvYEAva3JbTNkMzi5j4lRCxRDdebtFvQ3BTjCflmKFJ5DNoZfn-MfgWeAtl0VFIxSocQKo1w5WZRRDNrelJDDYmHHk5bxKE1Uu3HJvxnxDziR1me0no5KerZkSnHe4vk18EgOUE68cNDA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Status: Fixed
Project Member

Comment 9 by ClusterFuzz, Feb 14 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-40 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -Nag -Merge-Triage -M-40 Merge-Requested
Merge Requested to M41 (Branch 2272)
Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] No bugdroid (commit) comments found, couldn't auto-approve, needs manual review.
Labels: -Merge-Review -Hotlist-Merge-Review Merge-Approved
Merge approved for m41 branch 2272.
Labels: -M-41 -Merge-Approved M-42
punting to m42.  harfbuzz update is too big to take into M41 right before stable cut.

Ref: https://chromium.googlesource.com/chromium/src/+/11438fcb84642d9d4e03aa71d14ce0c76d6d08b2
Labels: Release-0-M42
Project Member

Comment 15 by ClusterFuzz, May 23 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 16 by drott@chromium.org, Jun 12 2015

Owner: drott@chromium.org
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment