Closed Bug 581359 Opened 14 years ago Closed 14 years ago

Invalid values in TT font leading to crash [@TAATLookupTable::SetTable]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Whiteboard: rdar://8233460)

Attachments

(3 files)

Attached file testcase
Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b3pre) Gecko/20100723 Minefield/4.0b3pre

Values are:

Offsets: dict_items([(150072, "b'\\x80\\x00'"), (9347, "b' \\x00'"), (292438, "b'\\xff\\xff\\xff\\xff'"), (268502, "b'\\x7f\\xff\\xff\\xff'")])


File info:

tag: b'OS/2', checksum: 3196297674, offset: 305184/0x4a820, length: 96, 
tag: b'Zapf', checksum: 253203651, offset: 305280/0x4a880, length: 34764, 
tag: b'bsln', checksum: 29165267, offset: 340044/0x5304c, length: 72, 
tag: b'cmap', checksum: 4205552289, offset: 273428/0x42c14, length: 2166, 
tag: b'cvt ', checksum: 2670677685, offset: 254960/0x3e3f0, length: 2026, 
tag: b'fdsc', checksum: 1075260213, offset: 271944/0x42648, length: 48, 
tag: b'feat', checksum: 2154633964, offset: 340116/0x53094, length: 156, 
tag: b'fmtx', checksum: 67636579, offset: 275628/0x434ac, length: 16, 
tag: b'fpgm', checksum: 106188155, offset: 5124/0x1404, length: 536, 
tag: b'glyf', checksum: 1989692338, offset: 11204/0x2bc4, length: 243756, 
tag: b'head', checksum: 3489811497, offset: 256988/0x3ebdc, length: 54, 
tag: b'hhea', checksum: 198903979, offset: 257044/0x3ec14, length: 36, 
tag: b'hmtx', checksum: 893714523, offset: 412/0x19c, length: 4712, 
tag: b'just', checksum: 1963032164, offset: 340272/0x53130, length: 1222, 
tag: b'kern', checksum: 3455664817, offset: 341496/0x535f8, length: 15272, 
tag: b'lcar', checksum: 1040670917, offset: 356768/0x571a0, length: 220, 
tag: b'loca', checksum: 132760684, offset: 6488/0x1958, length: 4716, 
tag: b'maxp', checksum: 214566296, offset: 275596/0x4348c, length: 32, 
tag: b'morx', checksum: 3215994898, offset: 275644/0x434bc, length: 29540, 
tag: b'name', checksum: 2241249365, offset: 271992/0x42678, length: 1435, 
tag: b'opbd', checksum: 549854217, offset: 356988/0x5727c, length: 394, 
tag: b'post', checksum: 3849197040, offset: 257080/0x3ec38, length: 14861, 
tag: b'prep', checksum: 2537829783, offset: 5660/0x161c, length: 825, 
tag: b'prop', checksum: 925905718, offset: 357384/0x57408, length: 1004, 
tag: b'trak', checksum: 108134852, offset: 358388/0x577f4, length: 104, 


Load the provided html file.
Attached file callstack
blocking2.0: --- → ?
Assignee: nobody → jdaggett
blocking2.0: ? → final+
Attached file Safari callstack
Logged as rdar://8233460 with Apple.

Note: needed to add the style below to get Safari to crash:

body { text-rendering: optimizeLegibility; } 

This forces Webkit to use CoreText.
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.
You need to log in before you can comment on or make changes to this bug.