Closed
Bug 594456
Opened 14 years ago
Closed 14 years ago
Crash from fuzzed font in Apple's libTrueTypeScaler [@ fnt_PushSomeWords(fnt_LocalGraphicStateType*, int) ]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bsterne, Assigned: jfkthame)
References
Details
(Whiteboard: [sg:vector-critical? (Apple)])
Attachments
(2 files)
Marc Schoenefeld reported another Mac system font crash from his font fuzzer. Here is what he sent to security@m.o: ----- Hi, looks like the font sanitizing in firefox 3.6.9/OSX is still not sufficient, despite the fixes for mfsa2010-58 I attached a crashwrangler report and a standalone reproducer. The punch line of the crashwrangler reads like: exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movl %eax,(%esi):instruction_address=0x000000009011404d:access_type=write:access_address=0x00000000fedd02b4: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. Test case was dual4_repreat Is your future strategy to handle the font bugs case wise, or probably introducing stricter acceptance rules via a (better be sandboxed) font sanitizer.
Comment 3•14 years ago
|
||
This is a minimal testcase based on the one provided. Perhaps you need to reload the page a couple of times.
Depends on: CVE-2010-3768
Updated•14 years ago
|
Assignee: nobody → jdaggett
Comment 4•14 years ago
|
||
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
blocking2.0: --- → ?
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk
Updated•14 years ago
|
blocking2.0: ? → final+
Updated•14 years ago
|
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
Updated•14 years ago
|
Assignee | ||
Comment 5•14 years ago
|
||
This will be fixed by the OTS sanitizer (bug 527276). (The testcase still beachballs for some time, but that's a separate and non-fatal issue.)
Updated•14 years ago
|
Summary: Mac crash in ATS from fuzzed font → Crash from fuzzed font in Apple's libTrueTypeScaler [@ fnt_PushSomeWords(fnt_LocalGraphicStateType*, int) ]
Whiteboard: [sg:critical][critsmash:investigating] → [sg:vector-critical? (Apple)]
Assignee | ||
Updated•14 years ago
|
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.2:
--- → .13-fixed
Resolution: --- → FIXED
Comment 6•14 years ago
|
||
This doesn't crash on 1.9.2.12 on OS X 10.6.5. Is this one of those cases where the 10.6.5 OS X update fixed the Apple side of the problem?
Assignee | ||
Comment 7•14 years ago
|
||
(In reply to comment #6) > This doesn't crash on 1.9.2.12 on OS X 10.6.5. Is this one of those cases where > the 10.6.5 OS X update fixed the Apple side of the problem? Seems likely; Brandon's crash report from comment #1 is from FF3.6.9 running on 10.6.4.
OS: Mac OS X → Windows 7
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•