Reported to Apple. rdar://7774779
Whiteboard: [sg:vector-critical (Apple)] → [sg:vector-critical (Apple)] rdar://7774779
Apple is treating this as a critical security issue.
This corrupts the stack on 64-bit / 10.6, which forces me to ignore all corrupted-stack crashes, possibly causing me to miss other bugs.
http://support.apple.com/kb/HT4435 -- Fixed in Mac OS X 10.6.5 CVE-ID: CVE-2010-1842 Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4 Impact: Rendering a bidirectional string that requires truncation may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow exists in AppKit. If a string containing bidirectional text is rendered, and it is truncated with an ellipsis, AppKit may apply an inappropriate layout calculation. This could lead to an unexpected application termination or arbitrary code execution. This issue is addressed by avoiding the inappropriate layout calculation. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
I retested to be sure. I don't get a crash on 10.5 or 10.6 now. There's still some weirdness where the titlebar and navigation toolbar stop being "unified" when the window with is small, but that happens on pages with normal titles, too.
Status: RESOLVED → VERIFIED
Crash Signature: [@ _NSLayoutTreeSetLocationForGlyphRange]
You need to log in before you can comment on or make changes to this bug.