If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Arithmetic exception in GPOS table [@AnchorMatrix::sanitize]

RESOLVED FIXED

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {crash})

Trunk
x86_64
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(blocking2.0 final+)

Details

(crash signature)

Attachments

(3 attachments)

(Reporter)

Description

7 years ago
Created attachment 465004 [details]
callstack

Tag: b'GPOS' Checksum: 0x0001c590 Offset:        364/0x0000016c Length: 3738

Table: b'GPOS'
Number of replaced values: 5
Offset:   21/0x000015	Value: ['ff', 'ff']
Offset:  411/0x00019b	Value: ['00', '00', '00', '00', '00', '00', '00', '01']
Offset:  783/0x00030f	Value: ['ff', 'ff', 'ff', 'ff']
Offset: 2862/0x000b2e	Value: ['00', '00', '00', '01']
Offset: 3148/0x000c4c	Value: ['ff', 'ff', 'ff', 'ff']
(Reporter)

Comment 1

7 years ago
Created attachment 465005 [details]
testcase
(Assignee)

Comment 2

7 years ago
Created attachment 465728 [details] [diff] [review]
patch, v1 - check "rows" value is non-zero before division
Assignee: nobody → jfkthame
Attachment #465728 - Flags: review?(jdaggett)

Updated

7 years ago
Attachment #465728 - Flags: review?(jdaggett) → review+
(Assignee)

Comment 3

7 years ago
Comment on attachment 465728 [details] [diff] [review]
patch, v1 - check "rows" value is non-zero before division

Requesting approval2.0 -- we should take this as it's a risk-free fix (also accepted upstream) for an issue where a bad/malicious downloadable font can crash the browser.
Attachment #465728 - Flags: approval2.0?
(Assignee)

Updated

7 years ago
Keywords: crash
blocking2.0: --- → final+
Comment on attachment 465728 [details] [diff] [review]
patch, v1 - check "rows" value is non-zero before division

This now blocks, so it doesn't need approval.
Attachment #465728 - Flags: approval2.0?
(Assignee)

Comment 5

7 years ago
http://hg.mozilla.org/mozilla-central/rev/51b95e95814f
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Crash Signature: [@AnchorMatrix::sanitize]
(Reporter)

Updated

6 years ago
Blocks: 750695
You need to log in before you can comment on or make changes to this bug.