Invalid values in TT's glyf table leading to crash [@TSparseCoordsListPerComposits::GetCoords()]

RESOLVED FIXED

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {verified1.9.2})

Trunk
x86_64
Mac OS X
verified1.9.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 .13-fixed, status1.9.1 .16-fixed)

Details

(Whiteboard: rdar://8233435)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
Created attachment 459103 [details]
testcase

Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US;
rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre

I am testing something new. Currently I can't provide you guys with the exact values/tables.

Load the provided html file.
(Reporter)

Comment 1

7 years ago
Created attachment 459104 [details]
callstack
blocking2.0: --- → ?
blocking2.0: ? → final+
Assignee: nobody → jdaggett

Comment 2

7 years ago
Christoph, any idea what table/offsets you were fuzzing?  It would really help tracking down the cause.  I'm guessing somewhere in the glyf table but that probably needs to be verified.

For OSX cases, could you note when a testcase also crashes in Safari?  That helps raise the priority when reporting it to Apple.
(Reporter)

Comment 3

7 years ago
John, it is the glyf table. I am currently trying to reduce the testcase. Yes, Safari is affected too.
(Reporter)

Updated

7 years ago
Summary: Invalid values in TT font leading to crash [@TSparseCoordsListPerComposits::GetCoords()] → Invalid values in TT's glyf table leading to crash [@TSparseCoordsListPerComposits::GetCoords()]

Comment 4

7 years ago
Created attachment 460199 [details]
Safari callstack

Crashes in Safari on 10.6.4 but not 10.5.8.

Comment 5

7 years ago
Logged rdar://8233435 with Apple.
(Reporter)

Comment 6

7 years ago
Created attachment 460307 [details]
testcase

testcase.zip includes: values.txt
Attachment #459103 - Attachment is obsolete: true
Whiteboard: rdar://8233435
(Assignee)

Comment 7

7 years ago
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: 527276
(Assignee)

Comment 8

7 years ago
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.2: --- → .13-fixed
Resolution: --- → FIXED
Verified fixed in 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;
en-US; rv:1.9.2.13pre) Gecko/20101118 Namoroka/3.6.13pre using testcase. Test
no longer crashes as it does in 1.9.2.12. (This was tested on OS X 10.6.5 but crash was verified first.)
Keywords: verified1.9.2
status1.9.1: --- → .16-fixed
(Reporter)

Updated

5 years ago
Blocks: 750695
You need to log in before you can comment on or make changes to this bug.