Closed Bug 586847 Opened 14 years ago Closed 14 years ago

Malformed FeatureNameArray in TTs feat table leads to crash [@TFontFeatures::TFontFeatures()]

Categories

(Core :: Graphics, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Whiteboard: [sg:vector-critical (Apple)][critsmash:investigating])

Attachments

(2 files)

Attached file callstack
Tag: b'feat' Checksum: 0x00000a56 Offset: 412/0x0000019c Length: 156


Table: b'feat'
Number of replaced values: 2
Offset:    61/0x00003d   Value: ['ff', 'c4', '40', '0f']
Offset:   100/0x000064   Value: ['80', '00', '00', '00']

[…]
Feature Name Array: 4
        Feature: 255
        nSettings: 50240
        SettingTable: 251658364
        FeatureFlags: b'\x80\x00'
        NameIndex: b'\x01\x0e'
[…]

Feature, nSettings and SettingTable table were overwritten by Value 1.

nSettings = number of records in the setting name array
SettingTable = offset to setting name array (here: out of range)


Note: I was not able to reproduce this bug with Safari or Fontbook.
Attached file testcase
One thing to note on reproducing bugs in Safari, you should try using:

  body { text-rendering: optimizeLegibility; }

This will explicitly cause Safari to use a CoreText codepath closer to our default text rendering codepath.  It may or may not cause a crash in the same code but the chances are greater with that property enabled.
Hi John,
I did that before posting here but it had no affect (@crash).
A similar crash can be triggered in TextEdit.app by using this font and attempting to open the Typography palette; note that this is also crashing in a TFontFeatures() constructor, called from TBaseFont::CopyFeatures().

Process:         TextEdit [80927]
Path:            /Applications/TextEdit.app/Contents/MacOS/TextEdit
Identifier:      com.apple.TextEdit
Version:         1.6 (264)
Build Info:      TextEdit-2640000~1
Code Type:       X86-64 (Native)
Parent Process:  launchd [240]

Date/Time:       2010-08-13 10:13:21.444 +0100
OS Version:      Mac OS X 10.6.4 (10F569)
Report Version:  6

Interval Since Last Report:          23513 sec
Crashes Since Last Report:           3
Per-App Interval Since Last Report:  21 sec
Per-App Crashes Since Last Report:   1
Anonymous UUID:                      A841BCF6-F4B2-447A-A660-7E0FAC0EFBA8

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000121621218
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.CoreText            	0x00007fff81d9af76 TFontFeatures::TFontFeatures(CGFont*) + 746
1   com.apple.CoreText            	0x00007fff81db0b0f TBaseFont::CopyFeatures() const + 83
2   com.apple.TypographyPanel     	0x0000000100325c78 FlipContextForRect + 15281
3   com.apple.TypographyPanel     	0x0000000100331cb9 sliderSort + 43238
4   com.apple.TypographyPanel     	0x000000010032d8ee sliderSort + 25883
5   com.apple.AppKit              	0x00007fff80d832b5 -[NSFontPanel _openExtrasPopup:] + 1640
6   com.apple.AppKit              	0x00007fff80b46152 -[NSApplication sendAction:to:from:] + 95
7   com.apple.AppKit              	0x00007fff80b460b1 -[NSControl sendAction:to:] + 94
8   com.apple.AppKit              	0x00007fff80b46152 -[NSApplication sendAction:to:from:] + 95
9   com.apple.AppKit              	0x00007fff80b6a6be -[NSMenuItem _corePerformAction] + 365
10  com.apple.AppKit              	0x00007fff80b6a428 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 121
11  com.apple.AppKit              	0x00007fff80dee41d -[NSMenu _internalPerformActionForItemAtIndex:] + 35
12  com.apple.AppKit              	0x00007fff80ca0217 -[NSCarbonMenuImpl _carbonCommandProcessEvent:handlerCallRef:] + 136
13  com.apple.AppKit              	0x00007fff80b4cc14 NSSLMMenuEventHandler + 321
14  com.apple.HIToolbox           	0x00007fff82c5e997 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) + 1002
15  com.apple.HIToolbox           	0x00007fff82c5dee6 SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) + 395
16  com.apple.HIToolbox           	0x00007fff82c7bba9 SendEventToEventTarget + 45
17  com.apple.HIToolbox           	0x00007fff82caacd1 SendHICommandEvent(unsigned int, HICommand const*, unsigned int, unsigned int, unsigned char, void const*, OpaqueEventTargetRef*, OpaqueEventTargetRef*, OpaqueEventRef**) + 387
18  com.apple.HIToolbox           	0x00007fff82cd7b06 SendMenuCommandWithContextAndModifiers + 56
19  com.apple.HIToolbox           	0x00007fff82cd7abe SendMenuItemSelectedEvent + 101
20  com.apple.HIToolbox           	0x00007fff82cd79be FinishMenuSelection(SelectionData*, MenuResult*, MenuResult*) + 150
21  com.apple.HIToolbox           	0x00007fff82de0a75 PopUpMenuSelectCore(MenuData*, Point, double, Point, unsigned short, unsigned int, Rect const*, unsigned short, unsigned int, Rect const*, Rect const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 1618
22  com.apple.HIToolbox           	0x00007fff82de0dce _HandlePopUpMenuSelection7 + 665
23  com.apple.AppKit              	0x00007fff80c9d1c9 _NSSLMPopUpCarbonMenu3 + 3710
24  com.apple.AppKit              	0x00007fff80e4cd0e -[NSPopUpButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 554
25  com.apple.AppKit              	0x00007fff80bd04b5 -[NSControl mouseDown:] + 624
26  com.apple.AppKit              	0x00007fff80aea763 -[NSWindow sendEvent:] + 5409
27  com.apple.AppKit              	0x00007fff80a1fee2 -[NSApplication sendEvent:] + 4719
28  com.apple.AppKit              	0x00007fff809b6922 -[NSApplication run] + 474
29  com.apple.AppKit              	0x00007fff809af5f8 NSApplicationMain + 364
30  com.apple.TextEdit            	0x0000000100000fb8 0x100000000 + 4024
Whiteboard: [sg:vector-critical (Apple)][critsmash:investigating]
Assignee: nobody → jdaggett
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Fixed on trunk and 1.9.2 by the OTS sanitizer.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.
OTS landed in 1.9.1 as well.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.