Closed Bug 586501 Opened 14 years ago Closed 14 years ago

Arithmetic exception in GPOS table [@AnchorMatrix::sanitize]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

Attached file callstack
Tag: b'GPOS' Checksum: 0x0001c590 Offset:        364/0x0000016c Length: 3738

Table: b'GPOS'
Number of replaced values: 5
Offset:   21/0x000015	Value: ['ff', 'ff']
Offset:  411/0x00019b	Value: ['00', '00', '00', '00', '00', '00', '00', '01']
Offset:  783/0x00030f	Value: ['ff', 'ff', 'ff', 'ff']
Offset: 2862/0x000b2e	Value: ['00', '00', '00', '01']
Offset: 3148/0x000c4c	Value: ['ff', 'ff', 'ff', 'ff']
Attached file testcase
Assignee: nobody → jfkthame
Attachment #465728 - Flags: review?(jdaggett)
Attachment #465728 - Flags: review?(jdaggett) → review+
Comment on attachment 465728 [details] [diff] [review]
patch, v1 - check "rows" value is non-zero before division

Requesting approval2.0 -- we should take this as it's a risk-free fix (also accepted upstream) for an issue where a bad/malicious downloadable font can crash the browser.
Attachment #465728 - Flags: approval2.0?
Keywords: crash
blocking2.0: --- → final+
Comment on attachment 465728 [details] [diff] [review]
patch, v1 - check "rows" value is non-zero before division

This now blocks, so it doesn't need approval.
Attachment #465728 - Flags: approval2.0?
http://hg.mozilla.org/mozilla-central/rev/51b95e95814f
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@AnchorMatrix::sanitize]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: