Last Comment Bug 581029 - Invalid values in TT font lead to crash [@CGSScanconverterRenderMask]
: Invalid values in TT font lead to crash [@CGSScanconverterRenderMask]
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: Jonathan Kew (:jfkthame)
:
: Milan Sreckovic [:milan]
Mentors:
Depends on: CVE-2010-3768
Blocks: fuzzing-fonts
  Show dependency treegraph
 
Reported: 2010-07-22 08:00 PDT by Christoph Diehl [:posidron]
Modified: 2012-05-01 06:50 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.13-fixed
.16-fixed


Attachments
testcase (83.40 KB, application/x-zip)
2010-07-22 08:00 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (10.76 KB, text/plain)
2010-07-22 08:01 PDT, Christoph Diehl [:posidron]
no flags Details
callstack from Safari, for comparison (9.37 KB, text/plain)
2010-07-22 08:15 PDT, Jonathan Kew (:jfkthame)
no flags Details

Description Christoph Diehl [:posidron] 2010-07-22 08:00:57 PDT
Created attachment 459434 [details]
testcase

Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US;
rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre


Invalid values are:

Offsets: dict_items([(129665, b'\xff\xff\xff\xff'), (76865, b'\xff\xc4@\x0f'), (107273, b'\x80\x00'), (67850, b'\xff\xff'), (160139, b'\x7f\xff'), 
(125708, b'\x80\x00'), (151957, b'\x7f\xff'), (152730, b'\xff\xff\xff\xff'), (17582, b'\xff\xff'), (11056, b'\x7f\xff'), (24369, b'@\x00'), (30006, 
b' \x00'), (136129, b'@\x00'), (92738, b'\x80\x00\x00\x00'), (101345, b'\x7f\xff\xff\xff'), (33608, b'@\x00'), (167753, b'\xff\xc4@\x0f'), (4176, 
b'\xff\xc4@\x0f'), (4561, b'\xff\xff'), (63828, b'\xff\xc4@\x0f'), (65365, b'\xff\xc4@\x0f'), (148825, b'\xff\xc4@\x0f'), (171482, 
b'\x80\x00\x00\x00'), (58843, b' \x00'), (73568, b' \x00'), (108897, b'\xff\xff\xff\xff'), (80358, b' \x00'), (137320, b'\x7f\xff\xff\xff'), 
(151785, b'\xff\xff'), (140397, b'\x80\x00'), (15475, b' \x00'), (150121, b'@\x00'), (31489, b'\x7f\xff'), (169725, b'\xff\xc4@\x0f'), (131839, 
b'\x80\x00')])

Load the provided html file.
Comment 1 Christoph Diehl [:posidron] 2010-07-22 08:01:30 PDT
Created attachment 459435 [details]
callstack
Comment 2 Jonathan Kew (:jfkthame) 2010-07-22 08:14:21 PDT
This is a crash within the CoreGraphics font rasterizer; there's little we can do about this except report it to Apple and hope they'll make CG more robust.
Comment 3 Jonathan Kew (:jfkthame) 2010-07-22 08:15:32 PDT
Created attachment 459445 [details]
callstack from Safari, for comparison

Note that Safari crashes with a similar callstack on this testcase.
Comment 4 Jonathan Kew (:jfkthame) 2010-07-22 08:23:39 PDT
Filed rdar://8222223 to report this to Apple.
Comment 5 John Daggett (:jtd) 2010-07-22 17:36:38 PDT
BTW, what do those offsets in the description mean?  Are those offsets into the file itself, or into a given table (e.g. the 'glyf' table)?
Comment 6 Christoph Diehl [:posidron] 2010-07-22 19:01:04 PDT
Correct, offsets into the file itself.
Comment 7 Jonathan Kew (:jfkthame) 2010-09-29 06:43:33 PDT
This will be fixed by the OTS sanitizer (bug 527276).
Comment 8 Jonathan Kew (:jfkthame) 2010-11-05 09:40:00 PDT
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Comment 9 Al Billings [:abillings] 2010-11-18 15:50:11 PST
QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.

Note You need to log in before you can comment on or make changes to this bug.