If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Malformed font leads to crash in Apple's libTrueTypeScaler [@small_free_list_remove_ptr]

RESOLVED FIXED

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {verified1.9.2})

Trunk
x86
Mac OS X
verified1.9.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 .13-fixed, status1.9.1 .16-fixed)

Details

(Whiteboard: [sg:vector-critical? (Apple)])

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 473348 [details]
testcase

This one is perhaps a dublicate, I am not exactly sure.

Number of replaced values: 8
Offset:  21699/0x0054c3	Value: ['49']
Offset:  22109/0x00565d	Value: ['d5', '14']
Offset:  22571/0x00582b	Value: ['e8', 'd5']
Offset:  25634/0x006422	Value: ['d1', 'b9', 'fc', '2c']
Offset:  30069/0x007575	Value: ['8f', 'f0', '59', 'c8']
Offset:  35475/0x008a93	Value: ['f7', 'f1', '75']
Offset:  36115/0x008d13	Value: ['28', 'a4']
Offset:  39160/0x0098f8	Value: ['64', '45', '95', '40']

Execute the provided html file.
(Reporter)

Comment 1

7 years ago
Created attachment 473349 [details]
callstack
blocking2.0: --- → ?

Updated

7 years ago
Assignee: nobody → jdaggett
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk

Updated

7 years ago
Summary: Malformed font leads to crash [@small_free_list_remove_ptr] → Malformed font leads to crash in Apple's libTrueTypeScaler [@small_free_list_remove_ptr]
blocking2.0: ? → final+

Comment 3

7 years ago
Fixed in 10.6.5 10H542 (seed build)
(Assignee)

Comment 4

7 years ago
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: 527276

Updated

7 years ago
Whiteboard: [sg:critical] → [sg:vector-critical? (Apple)]
(Assignee)

Updated

7 years ago
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.2: --- → .13-fixed
Resolution: --- → FIXED
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in 1.9.2.12 when run on OS X 10.6.4.
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
status1.9.1: --- → .16-fixed
(Reporter)

Updated

6 years ago
Blocks: 750695
Group: core-security
You need to log in before you can comment on or make changes to this bug.