Closed Bug 594651 Opened 14 years ago Closed 14 years ago

Malformed font leads to crash [@PL_DHashTableOperate]

Categories

(Core :: Graphics, defect)

1.9.2 Branch
x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- needed
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical (Apple)])

Attachments

(1 file)

Attached file testcase
The used values are located inside testcase.zip called values.txt

Execute the provided html file.
Attached file callstack
blocking2.0: --- → ?
Assignee: nobody → jdaggett
Whiteboard: [sg:critical]
blocking2.0: ? → final+
Can't reproduce on trunk with harfbuzz disabled, probably doesn't need to block 2.0
It's not reproducible against trunk on 10.6.5.
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Now that OTS has landed, lets test this again, Marcia?
Note that this and many other fuzzed-font crashers were filed against 1.9.2, not trunk. OTS has landed on trunk and should ensure that the font here is blocked, but we haven't backported it to 1.9.2 yet. (I'm working on a backport but it's not quite ready yet - changes in both the font code and build config mean that it requires some reworking.)
Should be fixed on trunk, we'll use the status1.9.2 fields to track the branch landing.
blocking1.9.2: --- → needed
Right now, Harfbuzz is on by default on OS X and Windows; the work for Linux is bug 569770. On Linux without Harfbuzz, we use Pango to shape AIUI.
blocking1.9.2: needed → ---
blocking1.9.2: --- → ?
status1.9.2: --- → ?
What does comment 8 mean? That this bug is not fixed on trunk on Linux? Does OTS only work with harfbuzz? I thought they were independent. On the 1.9.2 branch, where we need this fixed, harfbuzz isn't used on any platform.
blocking1.9.2: ? → needed
(In reply to comment #9)
> What does comment 8 mean? That this bug is not fixed on trunk on Linux? Does
> OTS only work with harfbuzz? I thought they were independent. On the 1.9.2
> branch, where we need this fixed, harfbuzz isn't used on any platform.

This was a Mac OS X bug, not relevant to Linux or Windows. OTS blocks the corrupted font (on all platforms, trunk and 1.9.2).
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;
en-US; rv:1.9.2.13pre) Gecko/20101118 Namoroka/3.6.13pre using testcase. Test
no longer crashes as it does in 1.9.2.12.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
Whiteboard: [sg:critical] → [sg:vector-critical]
Group: core-security
Whiteboard: [sg:vector-critical] → [sg:vector-critical (Apple)]
You need to log in before you can comment on or make changes to this bug.