Closed Bug 594456 Opened 14 years ago Closed 14 years ago

Crash from fuzzed font in Apple's libTrueTypeScaler [@ fnt_PushSomeWords(fnt_LocalGraphicStateType*, int) ]

Categories

(Core :: Graphics, defect)

x86
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: bsterne, Assigned: jfkthame)

References

Details

(Whiteboard: [sg:vector-critical? (Apple)])

Attachments

(2 files)

Marc Schoenefeld reported another Mac system font crash from his font fuzzer.  Here is what he sent to security@m.o:

-----

Hi,

looks like the font sanitizing in firefox 3.6.9/OSX is still not sufficient, despite the fixes for mfsa2010-58

I attached a crashwrangler report and a standalone reproducer.

The punch line of the crashwrangler reads like:

exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movl
%eax,(%esi):instruction_address=0x000000009011404d:access_type=write:access_address=0x00000000fedd02b4:
Crash accessing invalid address.  Consider running it again with libgmalloc(3) to see if the log changes.
Test case was dual4_repreat

Is your future strategy to handle the font bugs case wise, or probably introducing stricter acceptance rules via a (better be sandboxed) font sanitizer.
bp-23055d58-3df0-46b9-8fbd-4b3f92100908
Does not crash in: Gecko/20100906 Firefox/4.0b6pre
Attached file testcase-reduced
This is a minimal testcase based on the one provided. Perhaps you need to reload the page a couple of times.
Depends on: 594536
Assignee: nobody → jdaggett
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
blocking2.0: --- → ?
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk
blocking2.0: ? → final+
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
Blocks: 594536
No longer depends on: 594536
This will be fixed by the OTS sanitizer (bug 527276). (The testcase still beachballs for some time, but that's a separate and non-fatal issue.)
Summary: Mac crash in ATS from fuzzed font → Crash from fuzzed font in Apple's libTrueTypeScaler [@ fnt_PushSomeWords(fnt_LocalGraphicStateType*, int) ]
Whiteboard: [sg:critical][critsmash:investigating] → [sg:vector-critical? (Apple)]
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
This doesn't crash on 1.9.2.12 on OS X 10.6.5. Is this one of those cases where the 10.6.5 OS X update fixed the Apple side of the problem?
(In reply to comment #6)
> This doesn't crash on 1.9.2.12 on OS X 10.6.5. Is this one of those cases where
> the 10.6.5 OS X update fixed the Apple side of the problem?

Seems likely; Brandon's crash report from comment #1 is from FF3.6.9 running on 10.6.4.
OS: Mac OS X → Windows 7
OTS landed in 1.9.1 as well.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: