Closed
Bug 574368
Opened 14 years ago
Closed 14 years ago
Invalid descriptorCount/gxFontDescriptor value in TTF's fdsc table leads to crash [@ GetFontMetrics()]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Whiteboard: [sg:vector-critical (Apple)] rdar://8141742)
Attachments
(4 files)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a6pre) Gecko/20100624 Minefield/3.7a6pre Invalid value is in this case: 00 00 00 01 41 41 41 41 Reproducible: Always Steps to Reproduce: Load the provided html file.
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Reporter | ||
Comment 3•14 years ago
|
||
Edit: at offset: 0x19c
Updated•14 years ago
|
blocking2.0: --- → ?
Assignee | ||
Comment 4•14 years ago
|
||
I'm curious to know if this testcase also causes problems for Safari, or for other applications (if the font is installed locally on the machine)?
Reporter | ||
Comment 5•14 years ago
|
||
Yes. FontBook (Font import tool) / Safari etc. can not handle the font. I know , it's not a Firefox issue but the bug acts like a proxy, so I thought it would be of interest.
Reporter | ||
Comment 6•14 years ago
|
||
Comment 7•14 years ago
|
||
cd, can you report this bug to Apple using https://bugreport.apple.com/, and put a rdar://NUM link in the whiteboard?
Whiteboard: [sg:vector-critical (Apple)]
Reporter | ||
Updated•14 years ago
|
Whiteboard: [sg:vector-critical (Apple)] → [sg:vector-critical (Apple)] rdar://8141742
Assignee | ||
Comment 8•14 years ago
|
||
There's a tryserver build at http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/jkew@mozilla.com-264b39e314fc/ with an enhanced version of the patch in bug 532533 that tries to avoid use of any Apple font metrics APIs. I'd be interested to know if the crash is still reproducible with this build.
Reporter | ||
Comment 9•14 years ago
|
||
Yes
Reporter | ||
Comment 10•14 years ago
|
||
Assignee | ||
Comment 11•14 years ago
|
||
(In reply to comment #10) > Callstack - TryServer;Minefield 4.0b2pre (64bit) Ok, thanks. Hmmm, the frames between gfxTextRun::SetSpaceGlyph and CGFontGetGlyphAdvances are completely wrong here; I guess it didn't have enough symbols. But anyway, it's pretty clear what's happening - although this build avoided calling CGFontGetUnitsPerEm directly, it still hit that function via CGFontGetGlyphAdvances while getting the width of the space glyph.
Updated•14 years ago
|
blocking2.0: ? → final+
Updated•14 years ago
|
Assignee: nobody → jfkthame
Assignee | ||
Comment 12•14 years ago
|
||
This should be fixed by bug 527276.
Depends on: CVE-2010-3768
OS: Mac OS X → Windows 7
Assignee | ||
Updated•14 years ago
|
OS: Windows 7 → Mac OS X
Assignee | ||
Comment 13•14 years ago
|
||
Checked that OTS (bug 527276) resolves this, and the testcase no longer crashes. (However, 1.9.2 and 1.9.1 will remain vulnerable until we get OTS landed there as well.)
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Blocks: fuzzing-fonts
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•