Closed Bug 594628 Opened 14 years ago Closed 14 years ago

Malformed font leads to crash in Apple's libTrueTypeScaler [@fnt_SHP_Common]

Categories

(Core :: Graphics, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical? (Apple)])

Attachments

(2 files, 2 obsolete files)

Attached file testcase (obsolete) —
Number of replaced values: 4
Offset:  27737/0x006c59	Value: ['ee', '67', 'fe']
Offset:  35486/0x008a9e	Value: ['14', 'd6']
Offset:  36003/0x008ca3	Value: ['ee', '67', 'fe']
Offset:  53513/0x00d109	Value: ['e6', '6c']

Execute the provided html file.
Attached file callstack (obsolete) —
Attached file callstack
Attachment #473322 - Attachment is obsolete: true
Attached file testcase
Attachment #473321 - Attachment is obsolete: true
blocking2.0: --- → ?
Assignee: nobody → jdaggett
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk
Summary: Malformed font leads to crash [@fnt_SHP_Common] → Malformed font leads to crash in Apple's libTrueTypeScaler [@fnt_SHP_Common]
blocking2.0: ? → final+
Fixed in 10.6.5 10H542 (seed build)
Whiteboard: [sg:critical] → [sg:vector-critical? (Apple)]
Fixed on trunk and 1.9.2 by the OTS sanitizer.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in
1.9.2.12 when run on OS X 10.6.4.
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
Group: core-security
You need to log in before you can comment on or make changes to this bug.