style.fontFamily overflow on osx

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: msg, Assigned: masayuki)

Tracking

({crash, platform-parity, regression})

Trunk
PowerPC
Mac OS X
crash, platform-parity, regression
Points:
---
Bug Flags:
blocking1.9 ?
wanted1.8.1.x -
wanted1.8.0.x -
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] post-1.8-branch)

Attachments

(4 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a3pre) Gecko/20070316 Minefield/3.0a3pre

an overflow in this.document.firstChild.style.fontFamily value causes a crash, with some register control on OSX.  Does not appear to affect win32.

found via javascript introspection fuzzing.  see attached crash dump + sample script

Reproducible: Always

Steps to Reproduce:
1. run attached script
Actual Results:  
crash with some register control


see attached items
(Reporter)

Comment 1

12 years ago
Created attachment 258826 [details]
repro script
(Reporter)

Comment 2

12 years ago
Created attachment 258827 [details]
backtrace

Comment 3

12 years ago
Created attachment 258885 [details]
Minimal testcase

Comment 4

12 years ago
Does not appear to affect Linux either - it seems this is MacOSX only so far.
A regression range would be nice to have...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, pp, regression

Updated

11 years ago
Duplicate of this bug: 376890

Comment 6

11 years ago
gdb's backtrace for the testcase in comment 3 is kinda useless:

(gdb) bt
#0  0x00420044 in dyld_stub_fflush ()
#1  0x00420042 in dyld_stub_fflush ()

In an attempt to get a better backtrace, I modified the testcase to try adding one character to the string at a time until it crashed.  I got this:

(gdb) bt
#0  0x9025ca97 in IteratorFindFontIDFromName ()
#1  0x6547736e in ?? ()
#2  0x4e5a5f3a in ?? ()
#3  0x00000000 in ?? ()

(gdb) info symbol IteratorFindFontIDFromName
IteratorFindFontIDFromName in section LC_SEGMENT.__TEXT.__text of /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS

There are no hits on Google for "IteratorFindFontIDFromName".

Is this a bug in Apple code?
Whiteboard: [sg:critical]

Comment 7

11 years ago
Regressed between 2007-01-05-06 and 2007-01-05-14 (there happened to be a nightly respin that day).  There were several checkins to Mac font-choosing code during that period: bug 364785, bug 364832, and bug 365613.

Comment 8

11 years ago
The patch on bug 364785 is especially suspect because it plays with a buffer of size 1024.

Comment 9

11 years ago
The crash occurs during the first call to ATSUFindFontFromName in gfxQuartzFontCache::ResolveFontName:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/thebes/src/gfxQuartzFontCache.mm&rev=1.12&mark=705-711#705
Blocks: 364785
Whiteboard: [sg:critical] → [sg:critical] post-1.8-branch
Flags: blocking1.9?
(Assignee)

Updated

11 years ago
Assignee: general → nobody
Component: DOM: Level 0 → GFX: Thebes
QA Contact: ian → thebes
Version: unspecified → Trunk
Created attachment 267592 [details] [diff] [review]
fix

Thank you for the testing.

We should skip to resolve the long font name, but this patch cannot suppress same issues in future.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Attachment #267592 - Flags: review?(vladimir)
checked-in.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Group: security
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.