453223 - need to review thebes/cairo code for places bogus font data could cause problems

Status: RESOLVED WORKSFORME

(Core :: Graphics, defect, P1)

Description

[John Daggett (:jtd)]

With the addition of downloadable fonts as a feature in Gecko, our text rendering components are now potentially open to attacks using bogus font data.  We need to review the code to look for potential places where bogus font data could potentially cause problems.  This includes:

  - old thebes wrappers
  - gfx text/font handling code
  - cairo text/font handling code

Possible places where problems could occur: handling names, reading the cmap, handling metrics, catching errors when drawing with bogus glyph data.

I'm going to log a separate bug for font fuzzing work.

Comment 1

[John Daggett (:jtd)]

Font fuzzer logged as bug 453225.

Comment 2

[Robert O'Callahan (:roc) (email my personal email if necessary)]

"Old Thebes wrappers" should not be exposed to downloadable fonts, to be honest. Maybe we could just have a textrun creation flag that disables downloadable fonts, and set that flag in the nsRenderingContextThebes text APIs.

Comment 3

[Brandon Sterne (:bsterne)]

Any progress to share here?  I'm setting severity as sg:critical? as we have for other "audit this code" bugs like bug 430193.

Comment 4

[Daniel Veditz [:dveditz]]

in bug 430193 we found a specific problem and were looking for others like it. pure "audit" bugs are what [sg:investigate] was made for.

Comment 5

[Josh Aas]

Since there is no specific vulnerability anywhere here, a lot of work has happened since this was filed, and there is no movement lately, can we resolve and/or open up this bug?

Comment 6

[John Daggett (:jtd)]

Especially given that our code now uses the OpenType sanitizer, this is no longer so important.