Closed Bug 574368 Opened 14 years ago Closed 14 years ago

Invalid descriptorCount/gxFontDescriptor value in TTF's fdsc table leads to crash [@ GetFontMetrics()]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Whiteboard: [sg:vector-critical (Apple)] rdar://8141742)

Attachments

(4 files)

testcase
173.07 KB, application/zip
Details
Callstack x86-64 Minefield/3.7a6pre
13.45 KB, text/plain
Details
Callstack Safari V5.0 (6533.16)
6.64 KB, text/plain
Details
Callstack - TryServer;Minefield 4.0b2pre (64bit)
7.67 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a6pre) Gecko/20100624 Minefield/3.7a6pre

Invalid value is in this case: 00 00 00 01 41 41 41 41

Reproducible: Always

Steps to Reproduce:
Load the provided html file.
Attached file testcase 

    
    

    
  
Edit:

at offset: 0x19c
blocking2.0: --- → ?

    
    

    
  
I'm curious to know if this testcase also causes problems for Safari, or for other applications (if the font is installed locally on the machine)?

    
    

    
  
Yes. FontBook (Font import tool) / Safari etc. can not handle the font. I know , it's not a Firefox issue but the bug acts like a proxy, so I thought it would be of interest.

    
    

    
  
cd, can you report this bug to Apple using https://bugreport.apple.com/, and put a rdar://NUM link in the whiteboard?
Whiteboard: [sg:vector-critical (Apple)]

    
  
Whiteboard: [sg:vector-critical (Apple)] → [sg:vector-critical (Apple)] rdar://8141742

    
    

    
  
There's a tryserver build at http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/jkew@mozilla.com-264b39e314fc/ with an enhanced version of the patch in bug 532533 that tries to avoid use of any Apple font metrics APIs. I'd be interested to know if the crash is still reproducible with this build.

    
    

    
  
Yes

    
    

    
  
(In reply to comment #10)
> Callstack - TryServer;Minefield 4.0b2pre (64bit)

Ok, thanks. Hmmm, the frames between gfxTextRun::SetSpaceGlyph and CGFontGetGlyphAdvances are completely wrong here; I guess it didn't have enough symbols. But anyway, it's pretty clear what's happening - although this build avoided calling CGFontGetUnitsPerEm directly, it still hit that function via CGFontGetGlyphAdvances while getting the width of the space glyph.
blocking2.0: ? → final+
Assignee: nobody → jfkthame

    
    

    
  
This should be fixed by bug 527276.
Depends on: CVE-2010-3768
OS: Mac OS X → Windows 7

    
  
OS: Windows 7 → Mac OS X

    
    

    
  
Checked that OTS (bug 527276) resolves this, and the testcase no longer crashes. (However, 1.9.2 and 1.9.1 will remain vulnerable until we get OTS landed there as well.)
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
  
Blocks: fuzzing-fonts

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: