Closed Bug 596227 Opened 14 years ago Closed 14 years ago

Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]

Categories

(Core :: Graphics, defect)

1.9.2 Branch
x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2)

Attachments

(4 files)

Attached file testcase
Table: b'prep'
Number of replaced values: 2
Offset:          6/0x000006	Value: ['ff', 'ff']
Offset:         11/0x00000b	Value: ['80', '00', '00', '00']

  <prep>
    <assembly>
      PUSHW[ ]  /* 4 values pushed */
      1 2 255 -256
      CALL[ ]
      CALL[ ]
      FLIPPT[ ]
      SVTCA[0]
      SVTCA[0]
      SVTCA[0]
      AND[ ]
      SVTCA[0]
      GC[0]
      SVTCA[0]
      SHP[0]
      SVTCA[0]
      SSWCI[ ]
      SVTCA[0]
      SFVTL[0]
      CALL[ ]
      PUSHW[ ]  /* 6 values pushed */
      1 45 35 25 15 8
      CALL[ ]
    </assembly>
  </prep>
Attached file callstack
blocking2.0: --- → ?
Assignee: nobody → jdaggett
Summary: Malformed font leads to crash [@fnt_FLIPPT] → Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
Braden Thomas from Apple says they've fixed a bunch of libTrueTypeScaler bugs in the 10.6 seed, since they've been fuzzing it themselves recently.  Christoph, if we hook you up with a 10.6 seed, can you retest these bugs?
Yes, why not.
blocking2.0: ? → final+
Fixed in 10.6.5 10H542 (seed build)
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
Whiteboard: [qa-ntd-192]
Ah, I see this was fixed in 10.6.5, which I am running on.
Whiteboard: [qa-ntd-192]
(In reply to comment #6)
> 1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in
> it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12)
> Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?

The original report was filed against 1.9.2, and the callstack confirms that's what he was running (3.6.10pre, to be exact).

Quite a few (but not all) of these fuzzed-font bugs have been fixed in recent 10.6.x updates, so running an older build of 10.6 (or even 10.5) may be a better way to confirm our fixes.
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in
1.9.2.12 when run on OS X 10.6.4.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Confirmed, the old testcase doesn't work anymore. 
Attached is a new one which crashes at the same place.
You need to log in before you can comment on or make changes to this bug.