Closed Bug 581029 Opened 14 years ago Closed 14 years ago

Invalid values in TT font lead to crash [@CGSScanconverterRenderMask]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

Attached file testcase
Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US;
rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre


Invalid values are:

Offsets: dict_items([(129665, b'\xff\xff\xff\xff'), (76865, b'\xff\xc4@\x0f'), (107273, b'\x80\x00'), (67850, b'\xff\xff'), (160139, b'\x7f\xff'), 
(125708, b'\x80\x00'), (151957, b'\x7f\xff'), (152730, b'\xff\xff\xff\xff'), (17582, b'\xff\xff'), (11056, b'\x7f\xff'), (24369, b'@\x00'), (30006, 
b' \x00'), (136129, b'@\x00'), (92738, b'\x80\x00\x00\x00'), (101345, b'\x7f\xff\xff\xff'), (33608, b'@\x00'), (167753, b'\xff\xc4@\x0f'), (4176, 
b'\xff\xc4@\x0f'), (4561, b'\xff\xff'), (63828, b'\xff\xc4@\x0f'), (65365, b'\xff\xc4@\x0f'), (148825, b'\xff\xc4@\x0f'), (171482, 
b'\x80\x00\x00\x00'), (58843, b' \x00'), (73568, b' \x00'), (108897, b'\xff\xff\xff\xff'), (80358, b' \x00'), (137320, b'\x7f\xff\xff\xff'), 
(151785, b'\xff\xff'), (140397, b'\x80\x00'), (15475, b' \x00'), (150121, b'@\x00'), (31489, b'\x7f\xff'), (169725, b'\xff\xc4@\x0f'), (131839, 
b'\x80\x00')])

Load the provided html file.
Attached file callstack
This is a crash within the CoreGraphics font rasterizer; there's little we can do about this except report it to Apple and hope they'll make CG more robust.
Note that Safari crashes with a similar callstack on this testcase.
blocking2.0: --- → ?
Filed rdar://8222223 to report this to Apple.
blocking2.0: ? → final+
BTW, what do those offsets in the description mean?  Are those offsets into the file itself, or into a given table (e.g. the 'glyf' table)?
Correct, offsets into the file itself.
Assignee: nobody → jdaggett
Attachment #459435 - Attachment mime type: application/octet-stream → text/plain
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.
You need to log in before you can comment on or make changes to this bug.