Closed
Bug 596227
Opened 15 years ago
Closed 15 years ago
Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
Categories
(Core :: Graphics, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: verified1.9.2)
Attachments
(4 files)
Table: b'prep'
Number of replaced values: 2
Offset: 6/0x000006 Value: ['ff', 'ff']
Offset: 11/0x00000b Value: ['80', '00', '00', '00']
<prep>
<assembly>
PUSHW[ ] /* 4 values pushed */
1 2 255 -256
CALL[ ]
CALL[ ]
FLIPPT[ ]
SVTCA[0]
SVTCA[0]
SVTCA[0]
AND[ ]
SVTCA[0]
GC[0]
SVTCA[0]
SHP[0]
SVTCA[0]
SSWCI[ ]
SVTCA[0]
SFVTL[0]
CALL[ ]
PUSHW[ ] /* 6 values pushed */
1 45 35 25 15 8
CALL[ ]
</assembly>
</prep>
|
Reporter | |
Comment 1•15 years ago
|
||
|
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
Assignee: nobody → jdaggett
|
||
Updated•15 years ago
|
Summary: Malformed font leads to crash [@fnt_FLIPPT] → Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
|
|
||
Comment 2•15 years ago
|
||
Braden Thomas from Apple says they've fixed a bunch of libTrueTypeScaler bugs in the 10.6 seed, since they've been fuzzing it themselves recently. Christoph, if we hook you up with a 10.6 seed, can you retest these bugs?
|
|
Reporter | |
Comment 3•15 years ago
|
||
Yes, why not.
|
|
||
Updated•15 years ago
|
blocking2.0: ? → final+
|
|
||
Comment 4•15 years ago
|
||
Fixed in 10.6.5 10H542 (seed build)
|
Assignee | |
Comment 5•15 years ago
|
||
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
|
|
Assignee | |
Updated•15 years ago
|
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 15 years ago
status1.9.2:
--- → .13-fixed
Resolution: --- → FIXED
|
||
Comment 6•15 years ago
|
||
1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
Whiteboard: [qa-ntd-192]
|
|
||
Comment 7•15 years ago
|
||
Ah, I see this was fixed in 10.6.5, which I am running on.
|
|
||
Updated•15 years ago
|
Whiteboard: [qa-ntd-192]
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #6)
> 1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in
> it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12)
> Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
The original report was filed against 1.9.2, and the callstack confirms that's what he was running (3.6.10pre, to be exact).
Quite a few (but not all) of these fuzzed-font bugs have been fixed in recent 10.6.x updates, so running an older build of 10.6 (or even 10.5) may be a better way to confirm our fixes.
|
|
||
Comment 9•15 years ago
|
||
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in
1.9.2.12 when run on OS X 10.6.4.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
|
|
Reporter | |
Comment 10•15 years ago
|
||
Confirmed, the old testcase doesn't work anymore.
Attached is a new one which crashes at the same place.
|
|
Reporter | |
Comment 11•15 years ago
|
||
|
||
Updated•15 years ago
|
status1.9.1:
--- → .16-fixed
|
|
Reporter | |
Updated•13 years ago
|
Blocks: fuzzing-fonts
You need to log in
before you can comment on or make changes to this bug.
Description
•