Last Comment Bug 581359 - Invalid values in TT font leading to crash [@TAATLookupTable::SetTable]
: Invalid values in TT font leading to crash [@TAATLookupTable::SetTable]
Status: RESOLVED FIXED
rdar://8233460
:
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: Jonathan Kew (:jfkthame)
:
Mentors:
Depends on: CVE-2010-3768
Blocks: fuzzing-fonts
  Show dependency treegraph
 
Reported: 2010-07-23 07:07 PDT by Christoph Diehl [:posidron]
Modified: 2012-05-01 06:50 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.13-fixed
.16-fixed


Attachments
testcase (175.44 KB, application/zip)
2010-07-23 07:07 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (15.48 KB, text/plain)
2010-07-23 07:08 PDT, Christoph Diehl [:posidron]
no flags Details
Safari callstack (42.31 KB, text/plain)
2010-07-26 01:34 PDT, John Daggett (:jtd)
no flags Details

Description Christoph Diehl [:posidron] 2010-07-23 07:07:56 PDT
Created attachment 459809 [details]
testcase

Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b3pre) Gecko/20100723 Minefield/4.0b3pre

Values are:

Offsets: dict_items([(150072, "b'\\x80\\x00'"), (9347, "b' \\x00'"), (292438, "b'\\xff\\xff\\xff\\xff'"), (268502, "b'\\x7f\\xff\\xff\\xff'")])


File info:

tag: b'OS/2', checksum: 3196297674, offset: 305184/0x4a820, length: 96, 
tag: b'Zapf', checksum: 253203651, offset: 305280/0x4a880, length: 34764, 
tag: b'bsln', checksum: 29165267, offset: 340044/0x5304c, length: 72, 
tag: b'cmap', checksum: 4205552289, offset: 273428/0x42c14, length: 2166, 
tag: b'cvt ', checksum: 2670677685, offset: 254960/0x3e3f0, length: 2026, 
tag: b'fdsc', checksum: 1075260213, offset: 271944/0x42648, length: 48, 
tag: b'feat', checksum: 2154633964, offset: 340116/0x53094, length: 156, 
tag: b'fmtx', checksum: 67636579, offset: 275628/0x434ac, length: 16, 
tag: b'fpgm', checksum: 106188155, offset: 5124/0x1404, length: 536, 
tag: b'glyf', checksum: 1989692338, offset: 11204/0x2bc4, length: 243756, 
tag: b'head', checksum: 3489811497, offset: 256988/0x3ebdc, length: 54, 
tag: b'hhea', checksum: 198903979, offset: 257044/0x3ec14, length: 36, 
tag: b'hmtx', checksum: 893714523, offset: 412/0x19c, length: 4712, 
tag: b'just', checksum: 1963032164, offset: 340272/0x53130, length: 1222, 
tag: b'kern', checksum: 3455664817, offset: 341496/0x535f8, length: 15272, 
tag: b'lcar', checksum: 1040670917, offset: 356768/0x571a0, length: 220, 
tag: b'loca', checksum: 132760684, offset: 6488/0x1958, length: 4716, 
tag: b'maxp', checksum: 214566296, offset: 275596/0x4348c, length: 32, 
tag: b'morx', checksum: 3215994898, offset: 275644/0x434bc, length: 29540, 
tag: b'name', checksum: 2241249365, offset: 271992/0x42678, length: 1435, 
tag: b'opbd', checksum: 549854217, offset: 356988/0x5727c, length: 394, 
tag: b'post', checksum: 3849197040, offset: 257080/0x3ec38, length: 14861, 
tag: b'prep', checksum: 2537829783, offset: 5660/0x161c, length: 825, 
tag: b'prop', checksum: 925905718, offset: 357384/0x57408, length: 1004, 
tag: b'trak', checksum: 108134852, offset: 358388/0x577f4, length: 104, 


Load the provided html file.
Comment 1 Christoph Diehl [:posidron] 2010-07-23 07:08:25 PDT
Created attachment 459810 [details]
callstack
Comment 2 John Daggett (:jtd) 2010-07-26 01:34:12 PDT
Created attachment 460209 [details]
Safari callstack

Logged as rdar://8233460 with Apple.

Note: needed to add the style below to get Safari to crash:

body { text-rendering: optimizeLegibility; } 

This forces Webkit to use CoreText.
Comment 3 Jonathan Kew (:jfkthame) 2010-09-29 06:42:12 PDT
This will be fixed by the OTS sanitizer (bug 527276).
Comment 4 Jonathan Kew (:jfkthame) 2010-11-05 09:42:19 PDT
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Comment 5 [On PTO until 6/29] 2010-11-18 15:48:23 PST
QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.

Note You need to log in before you can comment on or make changes to this bug.