Crash [@ _NSLayoutTreeSetLocationForGlyphRange] with bidi <title>

VERIFIED FIXED

Status

()

Core
Widget: Cocoa
--
critical
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

({crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:vector-critical (Apple)] rdar://7774779, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
Created attachment 433683 [details]
testcase (may crash, depending on arch and window width)

Steps to reproduce:
1. Launch Firefox on Snow Leopard.
2. Load the testcase.
3. Resize the window so that the title barely fits in the window titlebar.  (Or, check "Allow scripts to resize existing windows" in Firefox Preferences > Content > JavaScript, then click the button in the testcase.)

The result depends on the CPU architecture:

32-bit Firefox --> "!!! _NSLayoutTreeSetLocationForGlyphRange invalid glyph range {4294967291, 17}" on stderr or stdout.  No crash.

64-bit Firefox --> Crash [@ _NSLayoutTreeSetLocationForGlyphRange] touching an invalid address such as 0x000000191c919f88.  This looks exploitable.

I will report this bug to Apple as well.
(Reporter)

Comment 1

8 years ago
Created attachment 433684 [details]
stack trace
(Reporter)

Comment 2

8 years ago
Reported to Apple. rdar://7774779
Whiteboard: [sg:vector-critical (Apple)] → [sg:vector-critical (Apple)] rdar://7774779
(Reporter)

Comment 3

8 years ago
Apple is treating this as a critical security issue.
(Reporter)

Comment 4

8 years ago
This corrupts the stack on 64-bit / 10.6, which forces me to ignore all corrupted-stack crashes, possibly causing me to miss other bugs.
(Reporter)

Comment 5

8 years ago
http://support.apple.com/kb/HT4435 -- Fixed in Mac OS X 10.6.5

CVE-ID: CVE-2010-1842

Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4

Impact: Rendering a bidirectional string that requires truncation may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in AppKit. If a string containing bidirectional text is rendered, and it is truncated with an ellipsis, AppKit may apply an inappropriate layout calculation. This could lead to an unexpected application termination or arbitrary code execution. This issue is addressed by avoiding the inappropriate layout calculation. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

8 years ago
I retested to be sure. I don't get a crash on 10.5 or 10.6 now.

There's still some weirdness where the titlebar and navigation toolbar stop being "unified" when the window with is small, but that happens on pages with normal titles, too.
Status: RESOLVED → VERIFIED
(Assignee)

Updated

7 years ago
Crash Signature: [@ _NSLayoutTreeSetLocationForGlyphRange]

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.