Last Comment Bug 580730 - Invalid values in TT's glyf table leading to crash [@TSparseCoordsListPerComposits::GetCoords()]
: Invalid values in TT's glyf table leading to crash [@TSparseCoordsListPerComp...
: verified1.9.2
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: Jonathan Kew (:jfkthame)
: Milan Sreckovic [:milan]
Depends on: CVE-2010-3768
Blocks: fuzzing-fonts
  Show dependency treegraph
Reported: 2010-07-21 12:10 PDT by Christoph Diehl [:posidron]
Modified: 2012-05-01 06:50 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (84.17 KB, application/x-zip)
2010-07-21 12:10 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (11.11 KB, text/plain)
2010-07-21 12:10 PDT, Christoph Diehl [:posidron]
no flags Details
Safari callstack (44.21 KB, text/plain)
2010-07-26 00:54 PDT, John Daggett (:jtd)
no flags Details
testcase (22.87 KB, application/zip)
2010-07-26 12:55 PDT, Christoph Diehl [:posidron]
no flags Details

Description Christoph Diehl [:posidron] 2010-07-21 12:10:01 PDT
Created attachment 459103 [details]

Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US;
rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre

I am testing something new. Currently I can't provide you guys with the exact values/tables.

Load the provided html file.
Comment 1 Christoph Diehl [:posidron] 2010-07-21 12:10:39 PDT
Created attachment 459104 [details]
Comment 2 John Daggett (:jtd) 2010-07-25 22:07:59 PDT
Christoph, any idea what table/offsets you were fuzzing?  It would really help tracking down the cause.  I'm guessing somewhere in the glyf table but that probably needs to be verified.

For OSX cases, could you note when a testcase also crashes in Safari?  That helps raise the priority when reporting it to Apple.
Comment 3 Christoph Diehl [:posidron] 2010-07-26 00:37:29 PDT
John, it is the glyf table. I am currently trying to reduce the testcase. Yes, Safari is affected too.
Comment 4 John Daggett (:jtd) 2010-07-26 00:54:04 PDT
Created attachment 460199 [details]
Safari callstack

Crashes in Safari on 10.6.4 but not 10.5.8.
Comment 5 John Daggett (:jtd) 2010-07-26 01:13:05 PDT
Logged rdar://8233435 with Apple.
Comment 6 Christoph Diehl [:posidron] 2010-07-26 12:55:30 PDT
Created attachment 460307 [details]
testcase includes: values.txt
Comment 7 Jonathan Kew (:jfkthame) 2010-09-29 06:44:54 PDT
This will be fixed by the OTS sanitizer (bug 527276).
Comment 8 Jonathan Kew (:jfkthame) 2010-11-05 09:37:40 PDT
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Comment 9 Al Billings [:abillings] 2010-11-18 15:51:53 PST
Verified fixed in with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;
en-US; rv: Gecko/20101118 Namoroka/3.6.13pre using testcase. Test
no longer crashes as it does in (This was tested on OS X 10.6.5 but crash was verified first.)

Note You need to log in before you can comment on or make changes to this bug.