Closed Bug 580100 Opened 14 years ago Closed 14 years ago

ASSERTION/Crash: font is lacking metrics, we shouldn't be here: '(mNumLongMetrics > 0) && mHmtxTable != nsnull'

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

Attachments

(4 files)

Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US; rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre

Table: hhea
Offset: 268/0x10c
Values:
80 00 # metricDataFormat
00 00 # numberOfHMetrics

Load the provided html file.
Attached file testcase
Attached file callstack
This patch adds some sanity-checking for the metrics tables during initialization, so that we don't risk out-of-bounds indexing when it comes to actually looking up entries.
Assignee: nobody → jfkthame
Attachment #458600 - Flags: review?(jdaggett)
Comment on attachment 458600 [details] [diff] [review]
patch, v1 - sanity-check hhea fields & hmtx length before using font with harfbuzz

Yup, looks good.
Attachment #458600 - Flags: review?(jdaggett) → review+
BTW, I think we need a simple reftest for this.
Attachment #458950 - Flags: review?(jdaggett)
Nominating for blocking2.0 - this provides a means for a corrupt or malicious font to trigger a crash. Patch is low-risk, just improving validation before we use the font data.
blocking2.0: --- → ?
Attachment #458950 - Flags: review?(jdaggett) → review+
blocking2.0: ? → final+
Pushed patch + crashtest:
http://hg.mozilla.org/mozilla-central/rev/676e4798d2b0
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.