Closed Bug 583715 Opened 14 years ago Closed 14 years ago

Invalid values in TTs glyf & EBLC table leading to hang [@GDI32!NtGdiGetCharABCWidthsW]

Categories

(Core :: Graphics, defect)

x86_64
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

Attachments

(3 files, 2 obsolete files)

Attached file testcase (obsolete) —
Tag: b'glyf' Checksum: 0x4e72dd01 Offset: 6556/0x0000199c Length: 41176


Offset:      27651/0x006c03	Value: ['80', '00', '00', '00']
Offset:      27970/0x006d42	Value: ['ff']


IE is not affected.

Load the provided html file.
Summary: Invalid values in TTs glyf table leading to hang → Invalid values in TTs glyf table leading to hang [@USP10!UspFreeMem]
Attached file callstack (obsolete) —
blocking2.0: --- → ?
Summary: Invalid values in TTs glyf table leading to hang [@USP10!UspFreeMem] → Invalid values in TTs glyf & EBLC table leading to hang [@GDI32!NtGdiGetCharABCWidthsW]
Attached file testcase-EBLC
Attached file testcase-glyf
Attachment #462041 - Attachment is obsolete: true
Attached file callstack
Attachment #462043 - Attachment is obsolete: true
tag: b'EBLC' checksum: 0x00015e24 offset:        332/0x0000014c length: 1568

Table: b'EBLC'
Number of replaced values: 3
Offset:        668/0x00029c	Value: ['ff', 'c4', '40', '0f']
Offset:       1249/0x0004e1	Value: ['ff', 'c4', '40', '0f']
Offset:       1284/0x000504	Value: ['ff']

Note: in this testcase the font-size must equal 10

IE is not affected.
John, you're cool with win32 font stuff, right?
Assignee: nobody → jdaggett
blocking2.0: ? → final+
If this helps, in bug 584185 (dup of this bug) i created a small sample extracted from the URL indicated in that bug.
I can reproduce this in WIN 7 32 bits too.
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Checked that OTS blocks the bad fonts from both testcases here.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.