Closed Bug 582151 Opened 14 years ago Closed 14 years ago

Invalid values in TTs kern table leading to crash [@TAATKernEngine::KernRuns]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical (Apple)] rdar://8238044)

Attachments

(3 files)

Attached file testcase
Table: b'kern'
Number of replaced values: 15
Offset:         7/0x000007     Value: ['7f', 'ff']
Offset:	      185/0x0000b9     Value: ['80', '00', '00', '00']
Offset:	     1367/0x000557     Value: ['20', '00']
Offset:	     1955/0x0007a3     Value: ['7f', 'ff', 'ff', 'ff']
Offset:	     2146/0x000862     Value: ['80', '00', '00', '00']
Offset:	     4148/0x001034     Value: ['ff', 'ff', 'ff', 'ff']
Offset:	     4506/0x00119a     Value: ['7f', 'ff', 'ff', 'ff']
Offset:	     4717/0x00126d     Value: ['80', '00']
Offset:	     6661/0x001a05     Value: ['7f', '00']
Offset:	     6874/0x001ada     Value: ['80', '00']
Offset:	     7291/0x001c7b     Value: ['ff', 'ff']
Offset:	     8055/0x001f77     Value: ['40', '00']
Offset:	    10804/0x002a34     Value: ['ff', 'ff']
Offset:	    14033/0x0036d1     Value: ['7f', 'ff', 'ff', 'ff']
Offset:	    14798/0x0039ce     Value: ['7f', 'ff']

Load the provided html file.
Attached file callstack-safari
Attached file callstack-firefox
blocking2.0: --- → ?
Assignee: nobody → jdaggett
blocking2.0: ? → final+
Group: core-security
Following is the reply I got of Apple's Product Security team. Note, I haven't marked this bug as a security issue before, neither at Apple nor here.

---------
Hello,

Thank you for reporting this issue via Apple's Bug Reporter. We take any report of a potential security issue very seriously.

This message is being sent to you by a security analyst who has reviewed your note.  The issue is being investigated, and we appreciate the time you have taken to report it to us.  If we need additional information, you will hear from us very soon.

Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further.

Our primary email address is product-security@apple.com.  If you have any concerns about the handling of a bug you reported, please email us.  Our PGP key is available at https://www.apple.com/support/security/pgp/.

You'll notice a number at the top of this email.  Including that number in any further emails you send to us on this issue will help us rapidly associate it with your original report.  

We do not automatically provide status updates on issues as we work on them, but please feel free to request one if needed by replying to this message.

Best regards,
David Remahl
Apple’s Product Security team
Whiteboard: rdar://8238044 → [sg:vector-critical (Apple)] rdar://8238044
That's the standard boilerplate response you get when filing bugs marked "security" with Apple.
John, yes but I haven't filed it as a security bug. They changed the flags for it.
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Fixed on trunk and 1.9.2 by the OTS sanitizer.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;
en-US; rv:1.9.2.13pre) Gecko/20101118 Namoroka/3.6.13pre using testcase. Test
no longer crashes as it does in 1.9.2.12.
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
Group: core-security
You need to log in before you can comment on or make changes to this bug.