Closed
Bug 553761
Opened 14 years ago
Closed 14 years ago
Crash [@ _NSLayoutTreeSetLocationForGlyphRange] with bidi <title>
Categories
(Core :: Widget: Cocoa, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:vector-critical (Apple)] rdar://7774779)
Crash Data
Attachments
(2 files)
Steps to reproduce: 1. Launch Firefox on Snow Leopard. 2. Load the testcase. 3. Resize the window so that the title barely fits in the window titlebar. (Or, check "Allow scripts to resize existing windows" in Firefox Preferences > Content > JavaScript, then click the button in the testcase.) The result depends on the CPU architecture: 32-bit Firefox --> "!!! _NSLayoutTreeSetLocationForGlyphRange invalid glyph range {4294967291, 17}" on stderr or stdout. No crash. 64-bit Firefox --> Crash [@ _NSLayoutTreeSetLocationForGlyphRange] touching an invalid address such as 0x000000191c919f88. This looks exploitable. I will report this bug to Apple as well.
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Reported to Apple. rdar://7774779
Whiteboard: [sg:vector-critical (Apple)] → [sg:vector-critical (Apple)] rdar://7774779
Reporter | ||
Comment 3•14 years ago
|
||
Apple is treating this as a critical security issue.
Reporter | ||
Comment 4•14 years ago
|
||
This corrupts the stack on 64-bit / 10.6, which forces me to ignore all corrupted-stack crashes, possibly causing me to miss other bugs.
Reporter | ||
Comment 5•14 years ago
|
||
http://support.apple.com/kb/HT4435 -- Fixed in Mac OS X 10.6.5 CVE-ID: CVE-2010-1842 Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4 Impact: Rendering a bidirectional string that requires truncation may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in AppKit. If a string containing bidirectional text is rendered, and it is truncated with an ellipsis, AppKit may apply an inappropriate layout calculation. This could lead to an unexpected application termination or arbitrary code execution. This issue is addressed by avoiding the inappropriate layout calculation. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•14 years ago
|
||
I retested to be sure. I don't get a crash on 10.5 or 10.6 now. There's still some weirdness where the titlebar and navigation toolbar stop being "unified" when the window with is small, but that happens on pages with normal titles, too.
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ _NSLayoutTreeSetLocationForGlyphRange]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•