Closed Bug 595689 Opened 14 years ago Closed 14 years ago

Malformed font leads to crash in Apple's ATSUI [@OTL::GCommon::GetLookups]

Categories

(Core :: Graphics, defect)

1.9.2 Branch
x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: [sg:vector-critical? (Apple)])

Attachments

(1 file, 2 obsolete files)

Attached file testcase (obsolete) —
Table: b'GSUB'
Number of replaced values: 4
Offset: 102/0x000066 Value: ['ff', 'ff', 'ff', 'ff']
Offset: 389/0x000185 Value: ['40', '00']
Offset: 734/0x0002de Value: ['00', '00', '00', '01']
Offset: 749/0x0002ed Value: ['00', '00', '00', '00', '00', '00', '00', '01']

Execute the provided html file.

PS: I am not able to get a real callstack for this one. This bug was marked as a security issue because of uncertainty.
Attached file callstack (obsolete) —
Attached file callstack
Attachment #474552 - Attachment is obsolete: true
Attached file testcase
Attachment #474551 - Attachment is obsolete: true
Marking security-sensitive per <cd> on IRC.
Group: core-security
blocking2.0: --- → ?
Assignee: nobody → jdaggett
Per Joe these are likely exploitable on trunk with a slightly modified testcase, so marking that this applies to trunk as well.
Whiteboard: [sg:critical]
Version: 1.9.2 Branch → Trunk
Summary: Malformed font leads to crash [@OTL::GCommon::GetLookups] → Malformed font leads to crash in Apple's ATSUI [@OTL::GCommon::GetLookups]
CrashWrangler reports "is exploitable" with latest seed build (10.6.5 10H542).
Command line to run testcase:

MOZ_CRASHREPORTER_DISABLE=1 "/Applications/Firefox.app/Contents/MacOS/firefox-bin" "file:///Users/jd/Desktop/b595689/index.html"
Please callstack affecting Trunk, preferably with guardmalloc
Ran the test against trunk with harfbuzz disabled, no crash.  So this appears to be 1.9.2 only (since we use ATSUI in 1.9.2 and CoreText on trunk when harfbuzz is disabled).
Version: Trunk → 1.9.2 Branch
Attached file testcase-trunk
John, gmalloc takes a bit longer here. In the meantime I have uploaded the new testcase against trunk. The testcase is based on your FakeIndic idea. I just removed the morx table and replaced the GSUB table.
blocking2.0: ? → final+
(In reply to comment #10)
> Created attachment 477470 [details]
> testcase-trunk
> 
> John, gmalloc takes a bit longer here. In the meantime I have uploaded the new
> testcase against trunk. The testcase is based on your FakeIndic idea. I just
> removed the morx table and replaced the GSUB table.

Still not able to crash using testcase-trunk with trunk code with harfbuzz enabled or disabled.  

Do I need to reload lots of times?  If possible, please attach the callstack for a trunk crash.

Tested with:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b7pre) Gecko/20100928 Firefox/4.0b7pre
10.6.5 10H542
It's not reproducible against trunk on 10.6.5.
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Whiteboard: [sg:critical] → [sg:vector-critical? (Apple)]
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6;
en-US; rv:1.9.2.13pre) Gecko/20101118 Namoroka/3.6.13pre using testcase. Test
no longer crashes as it does in 1.9.2.12.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
OTS landed in 1.9.1 as well.
Group: core-security
You need to log in before you can comment on or make changes to this bug.