Closed Bug 553761 Opened 14 years ago Closed 14 years ago

Crash [@ _NSLayoutTreeSetLocationForGlyphRange] with bidi <title>

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:vector-critical (Apple)] rdar://7774779)

Crash Data

Attachments

(2 files)

testcase (may crash, depending on arch and window width)
476 bytes, text/html
Details
stack trace
42.91 KB, text/plain
Details 
Steps to reproduce:
1. Launch Firefox on Snow Leopard.
2. Load the testcase.
3. Resize the window so that the title barely fits in the window titlebar.  (Or, check "Allow scripts to resize existing windows" in Firefox Preferences > Content > JavaScript, then click the button in the testcase.)

The result depends on the CPU architecture:

32-bit Firefox --> "!!! _NSLayoutTreeSetLocationForGlyphRange invalid glyph range {4294967291, 17}" on stderr or stdout.  No crash.

64-bit Firefox --> Crash [@ _NSLayoutTreeSetLocationForGlyphRange] touching an invalid address such as 0x000000191c919f88.  This looks exploitable.

I will report this bug to Apple as well.
Attached file stack trace 

    
    

    
  
Reported to Apple. rdar://7774779
Whiteboard: [sg:vector-critical (Apple)] → [sg:vector-critical (Apple)] rdar://7774779

    
    

    
  
Apple is treating this as a critical security issue.

    
    

    
  
This corrupts the stack on 64-bit / 10.6, which forces me to ignore all corrupted-stack crashes, possibly causing me to miss other bugs.

    
    

    
  
http://support.apple.com/kb/HT4435 -- Fixed in Mac OS X 10.6.5

CVE-ID: CVE-2010-1842

Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4

Impact: Rendering a bidirectional string that requires truncation may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in AppKit. If a string containing bidirectional text is rendered, and it is truncated with an ellipsis, AppKit may apply an inappropriate layout calculation. This could lead to an unexpected application termination or arbitrary code execution. This issue is addressed by avoiding the inappropriate layout calculation. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
I retested to be sure. I don't get a crash on 10.5 or 10.6 now.

There's still some weirdness where the titlebar and navigation toolbar stop being "unified" when the window with is small, but that happens on pages with normal titles, too.
Status: RESOLVED → VERIFIED
Crash Signature: [@ _NSLayoutTreeSetLocationForGlyphRange]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: