Closed Bug 594638 Opened 14 years ago Closed 14 years ago

Malformed font leads to crash in Apple's libTrueTypeScaler [@small_free_list_remove_ptr]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical? (Apple)])

Attachments

(2 files)

testcase
38.79 KB, application/zip
Details
callstack
40.77 KB, text/plain
Details
Attached file testcase
This one is perhaps a dublicate, I am not exactly sure. Number of replaced values: 8 Offset: 21699/0x0054c3 Value: ['49'] Offset: 22109/0x00565d Value: ['d5', '14'] Offset: 22571/0x00582b Value: ['e8', 'd5'] Offset: 25634/0x006422 Value: ['d1', 'b9', 'fc', '2c'] Offset: 30069/0x007575 Value: ['8f', 'f0', '59', 'c8'] Offset: 35475/0x008a93 Value: ['f7', 'f1', '75'] Offset: 36115/0x008d13 Value: ['28', 'a4'] Offset: 39160/0x0098f8 Value: ['64', '45', '95', '40'] Execute the provided html file.
Attached file callstack
blocking2.0: --- → ?
Assignee: nobody → jdaggett
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk
Summary: Malformed font leads to crash [@small_free_list_remove_ptr] → Malformed font leads to crash in Apple's libTrueTypeScaler [@small_free_list_remove_ptr]
blocking2.0: ? → final+
Fixed in 10.6.5 10H542 (seed build)
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Whiteboard: [sg:critical] → [sg:vector-critical? (Apple)]
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.2: --- → .13-fixed
Resolution: --- → FIXED
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in 1.9.2.12 when run on OS X 10.6.4.
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
status1.9.1: --- → .16-fixed
Blocks: fuzzing-fonts
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: