Closed Bug 594638 Opened 14 years ago Closed 14 years ago

Malformed font leads to crash in Apple's libTrueTypeScaler [@small_free_list_remove_ptr]

Categories

(Core :: Graphics, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical? (Apple)])

Attachments

(2 files)

Attached file testcase
This one is perhaps a dublicate, I am not exactly sure.

Number of replaced values: 8
Offset:  21699/0x0054c3	Value: ['49']
Offset:  22109/0x00565d	Value: ['d5', '14']
Offset:  22571/0x00582b	Value: ['e8', 'd5']
Offset:  25634/0x006422	Value: ['d1', 'b9', 'fc', '2c']
Offset:  30069/0x007575	Value: ['8f', 'f0', '59', 'c8']
Offset:  35475/0x008a93	Value: ['f7', 'f1', '75']
Offset:  36115/0x008d13	Value: ['28', 'a4']
Offset:  39160/0x0098f8	Value: ['64', '45', '95', '40']

Execute the provided html file.
Attached file callstack
blocking2.0: --- → ?
Assignee: nobody → jdaggett
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk
Summary: Malformed font leads to crash [@small_free_list_remove_ptr] → Malformed font leads to crash in Apple's libTrueTypeScaler [@small_free_list_remove_ptr]
blocking2.0: ? → final+
Fixed in 10.6.5 10H542 (seed build)
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Whiteboard: [sg:critical] → [sg:vector-critical? (Apple)]
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in 1.9.2.12 when run on OS X 10.6.4.
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
Group: core-security
You need to log in before you can comment on or make changes to this bug.