Closed
Bug 582151
Opened 14 years ago
Closed 14 years ago
Invalid values in TTs kern table leading to crash [@TAATKernEngine::KernRuns]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical (Apple)] rdar://8238044)
Attachments
(3 files)
Table: b'kern' Number of replaced values: 15 Offset: 7/0x000007 Value: ['7f', 'ff'] Offset: 185/0x0000b9 Value: ['80', '00', '00', '00'] Offset: 1367/0x000557 Value: ['20', '00'] Offset: 1955/0x0007a3 Value: ['7f', 'ff', 'ff', 'ff'] Offset: 2146/0x000862 Value: ['80', '00', '00', '00'] Offset: 4148/0x001034 Value: ['ff', 'ff', 'ff', 'ff'] Offset: 4506/0x00119a Value: ['7f', 'ff', 'ff', 'ff'] Offset: 4717/0x00126d Value: ['80', '00'] Offset: 6661/0x001a05 Value: ['7f', '00'] Offset: 6874/0x001ada Value: ['80', '00'] Offset: 7291/0x001c7b Value: ['ff', 'ff'] Offset: 8055/0x001f77 Value: ['40', '00'] Offset: 10804/0x002a34 Value: ['ff', 'ff'] Offset: 14033/0x0036d1 Value: ['7f', 'ff', 'ff', 'ff'] Offset: 14798/0x0039ce Value: ['7f', 'ff'] Load the provided html file.
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
Assignee: nobody → jdaggett
blocking2.0: ? → final+
Updated•14 years ago
|
Group: core-security
Reporter | ||
Comment 3•14 years ago
|
||
Following is the reply I got of Apple's Product Security team. Note, I haven't marked this bug as a security issue before, neither at Apple nor here. --------- Hello, Thank you for reporting this issue via Apple's Bug Reporter. We take any report of a potential security issue very seriously. This message is being sent to you by a security analyst who has reviewed your note. The issue is being investigated, and we appreciate the time you have taken to report it to us. If we need additional information, you will hear from us very soon. Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further. Our primary email address is product-security@apple.com. If you have any concerns about the handling of a bug you reported, please email us. Our PGP key is available at https://www.apple.com/support/security/pgp/. You'll notice a number at the top of this email. Including that number in any further emails you send to us on this issue will help us rapidly associate it with your original report. We do not automatically provide status updates on issues as we work on them, but please feel free to request one if needed by replying to this message. Best regards, David Remahl Apple’s Product Security team
Updated•14 years ago
|
Whiteboard: rdar://8238044 → [sg:vector-critical (Apple)] rdar://8238044
Comment 4•14 years ago
|
||
That's the standard boilerplate response you get when filing bugs marked "security" with Apple.
Reporter | ||
Comment 5•14 years ago
|
||
John, yes but I haven't filed it as a security bug. They changed the flags for it.
Assignee | ||
Comment 6•14 years ago
|
||
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Assignee | ||
Comment 7•14 years ago
|
||
Fixed on trunk and 1.9.2 by the OTS sanitizer.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.2:
--- → .13-fixed
Resolution: --- → FIXED
Comment 8•14 years ago
|
||
Verified fixed in 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101118 Namoroka/3.6.13pre using testcase. Test no longer crashes as it does in 1.9.2.12.
Keywords: verified1.9.2
Reporter | ||
Updated•12 years ago
|
Blocks: fuzzing-fonts
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•