Closed
Bug 573449
Opened 15 years ago
Closed 14 years ago
Invalid instruction in TTF's fpgm table leads to crash [@ fnt_CALL]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [sg:vector-critical? (Apple)] rdar://8125396, Affects Opera also -- embargo until we hear from them)
Crash Data
Attachments
(2 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Not sure whether it belongs here.
Invalid instruction is in this case: 0x7fff at offset: 0x19c
Also affected:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a6pre) Gecko/20100620 Minefield/3.7a6pre (x86-64)
Reproducible: Always
Steps to Reproduce:
Load the provided html file.
|
Reporter | |
Comment 1•15 years ago
|
||
|
|
Reporter | |
Comment 2•15 years ago
|
||
|
|
Reporter | |
Updated•15 years ago
|
Attachment #452685 -
Attachment description: Firefox/3.6.3 → Callstack (x86) Firefox/3.6.3
|
|
Reporter | |
Comment 3•15 years ago
|
||
|
||
Updated•15 years ago
|
Attachment #452686 -
Attachment mime type: application/octet-stream → text/plain
|
|
||
Updated•15 years ago
|
Attachment #452685 -
Attachment mime type: application/octet-stream → text/plain
|
|
||
Comment 4•15 years ago
|
||
Looks scary based on "KERN_INVALID_ADDRESS at address: 0x00000001345b6e5a".
|
|
||
Updated•15 years ago
|
Attachment #452684 -
Attachment description: testcase → testcase (HTML + TTF)
|
|
||
Comment 5•15 years ago
|
||
Comment on attachment 452685 [details]
Callstack (x86) Firefox/3.6.3
To get a useful stack out of a release build, you need to use Breakpad or the symbol server. Or you can build your own version.
Attachment #452685 -
Attachment is obsolete: true
Jonathan, you'd better look into this.
Assignee: nobody → jfkthame
|
||
Updated•15 years ago
|
|
Assignee | |
Comment 7•15 years ago
|
||
It's crashing deep inside Apple's ATS code. I doubt it's realistically possible for us to validate all TrueType bytecode before we allow a font to be used, so we may not be able to do anything about it for FF3.6, where we rely on the (deprecated) ATS and ATSUI APIs for all font handling.
However, Core Text does not appear to be affected by this, so on trunk we could resolve it if we eliminate the remaining dependency on ATS, which is currently used to get font metrics. The patch in bug 532533 does this for all TrueType/OpenType fonts, replacing the use of ATSFontGetHorizontalMetrics with code to read the font tables directly.
(That patch needs updating for current trunk; I've done this locally, and checked that the testcase here renders properly and doesn't crash, but need to check the patch more carefully before I post an update version.)
|
|
||
Comment 8•15 years ago
|
||
We've had pretty bad luck trying to get Apple to fix security bugs in ATS, so moving all the way to Core Text sounds like the way to go.
Depends on: 532533
|
|
||
Comment 9•15 years ago
|
||
Opera crashes too. Safari and Chrome don't.
|
|
Assignee | |
Comment 10•15 years ago
|
||
Bug 532533 now has an updated patch that fixes this issue.
|
||
Comment 11•15 years ago
|
||
(In reply to comment #10)
> Bug 532533 now has an updated patch that fixes this issue.
Er, not quite. See bug 532533, comment 74.
|
|
||
Comment 12•15 years ago
|
||
Logged as radar 8125396.
|
|
Assignee | |
Comment 13•15 years ago
|
||
(In reply to comment #11)
> (In reply to comment #10)
> > Bug 532533 now has an updated patch that fixes this issue.
>
> Er, not quite. See bug 532533, comment 74.
True. But now it does. :) See bug 532533, comment 78.
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] Affects Opera also -- embargo until we hear from them
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] Affects Opera also -- embargo until we hear from them → [sg:critical?] radar 8125396. Affects Opera also -- embargo until we hear from them
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] radar 8125396. Affects Opera also -- embargo until we hear from them → [sg:vector-critical? (Apple)] rdar://8125396, Affects Opera also -- embargo until we hear from them
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Comment 14•14 years ago
|
||
This is fixed by the patch for bug 532533.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ fnt_CALL]
|
|
Reporter | |
Updated•13 years ago
|
Blocks: fuzzing-fonts
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•