Closed
Bug 376890
Opened 17 years ago
Closed 17 years ago
Remote Code Execution in font handling
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 374251
People
(Reporter: msg, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 374251])
Attachments
(1 file)
|
521 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a4pre) Gecko/20070327 Minefield/3.0a4pre Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a4pre) Gecko/20070327 Minefield/3.0a4pre There is an apparent stack overflow inside of the font handling code. Reproducible: Always Steps to Reproduce: 1. On Mac OS X, simply run view the attached html file Actual Results: A crash will occur where the instruction pointer is pointing to a UNICODE value that we can control.
|
||
Updated•17 years ago
|
Product: Firefox → Core
QA Contact: general → general
|
||
Comment 2•17 years ago
|
||
Confirmed, Mac trunk debug. As mentioned in comment 0, the instruction pointer is clearly under the attacker's control: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00420042 Thread 0 Crashed: 0 <<00000000>> 0x00420044 0 + 4325444 1 <<00000000>> 0x74654773 0 + 1952794483 [end of stack trace] I'm pretty sure this is the same as bug 374251, though. <font face> is just mapped to CSS font-family, isn't it?
|
||
Updated•17 years ago
|
Whiteboard: [sg:critical] → [sg:dupe 374251]
|
|
||
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•