The default bug view has changed. See this FAQ.

Invalid values in TT font lead to crash [@CGSScanconverterRenderMask]

RESOLVED FIXED

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug)

Trunk
x86_64
Mac OS X
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 .13-fixed, status1.9.1 .16-fixed)

Details

Attachments

(3 attachments)

(Reporter)

Description

7 years ago
Created attachment 459434 [details]
testcase

Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US;
rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre


Invalid values are:

Offsets: dict_items([(129665, b'\xff\xff\xff\xff'), (76865, b'\xff\xc4@\x0f'), (107273, b'\x80\x00'), (67850, b'\xff\xff'), (160139, b'\x7f\xff'), 
(125708, b'\x80\x00'), (151957, b'\x7f\xff'), (152730, b'\xff\xff\xff\xff'), (17582, b'\xff\xff'), (11056, b'\x7f\xff'), (24369, b'@\x00'), (30006, 
b' \x00'), (136129, b'@\x00'), (92738, b'\x80\x00\x00\x00'), (101345, b'\x7f\xff\xff\xff'), (33608, b'@\x00'), (167753, b'\xff\xc4@\x0f'), (4176, 
b'\xff\xc4@\x0f'), (4561, b'\xff\xff'), (63828, b'\xff\xc4@\x0f'), (65365, b'\xff\xc4@\x0f'), (148825, b'\xff\xc4@\x0f'), (171482, 
b'\x80\x00\x00\x00'), (58843, b' \x00'), (73568, b' \x00'), (108897, b'\xff\xff\xff\xff'), (80358, b' \x00'), (137320, b'\x7f\xff\xff\xff'), 
(151785, b'\xff\xff'), (140397, b'\x80\x00'), (15475, b' \x00'), (150121, b'@\x00'), (31489, b'\x7f\xff'), (169725, b'\xff\xc4@\x0f'), (131839, 
b'\x80\x00')])

Load the provided html file.
(Reporter)

Comment 1

7 years ago
Created attachment 459435 [details]
callstack
(Assignee)

Comment 2

7 years ago
This is a crash within the CoreGraphics font rasterizer; there's little we can do about this except report it to Apple and hope they'll make CG more robust.
(Assignee)

Comment 3

7 years ago
Created attachment 459445 [details]
callstack from Safari, for comparison

Note that Safari crashes with a similar callstack on this testcase.
blocking2.0: --- → ?
(Assignee)

Comment 4

7 years ago
Filed rdar://8222223 to report this to Apple.
blocking2.0: ? → final+

Comment 5

7 years ago
BTW, what do those offsets in the description mean?  Are those offsets into the file itself, or into a given table (e.g. the 'glyf' table)?
(Reporter)

Comment 6

7 years ago
Correct, offsets into the file itself.
Assignee: nobody → jdaggett

Updated

7 years ago
Attachment #459435 - Attachment mime type: application/octet-stream → text/plain
(Assignee)

Comment 7

7 years ago
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: 527276
(Assignee)

Comment 8

7 years ago
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.2: --- → .13-fixed
Resolution: --- → FIXED
QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.
status1.9.1: --- → .16-fixed
(Reporter)

Updated

5 years ago
Blocks: 750695
You need to log in before you can comment on or make changes to this bug.