Created attachment 475082 [details]
Number of replaced values: 2
Offset: 6/0x000006 Value: ['ff', 'ff']
Offset: 11/0x00000b Value: ['80', '00', '00', '00']
PUSHW[ ] /* 4 values pushed */
1 2 255 -256
PUSHW[ ] /* 6 values pushed */
1 45 35 25 15 8
Created attachment 475083 [details]
Braden Thomas from Apple says they've fixed a bunch of libTrueTypeScaler bugs in the 10.6 seed, since they've been fuzzing it themselves recently. Christoph, if we hook you up with a 10.6 seed, can you retest these bugs?
Yes, why not.
Fixed in 10.6.5 10H542 (seed build)
This will be fixed by the OTS sanitizer (bug 527276).
184.108.40.206 seems to be unaffected by this. The testcase does not cause a crash in it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:220.127.116.11) Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
Ah, I see this was fixed in 10.6.5, which I am running on.
(In reply to comment #6)
> 18.104.22.168 seems to be unaffected by this. The testcase does not cause a crash in
> it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:22.214.171.124)
> Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
The original report was filed against 1.9.2, and the callstack confirms that's what he was running (3.6.10pre, to be exact).
Quite a few (but not all) of these fuzzed-font bugs have been fixed in recent 10.6.x updates, so running an older build of 10.6 (or even 10.5) may be a better way to confirm our fixes.
Verified fixed for 126.96.36.199 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.6; en-US; rv:188.8.131.52pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in
184.108.40.206 when run on OS X 10.6.4.
Created attachment 492103 [details]
testcase - 3.6.13pre - MacOSX 10.6.5
Confirmed, the old testcase doesn't work anymore.
Attached is a new one which crashes at the same place.
Created attachment 492104 [details]
callstack - 3.6.13pre - MacOSX 10.6.5