Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]

VERIFIED FIXED

Status

()

Core
Graphics
--
critical
VERIFIED FIXED
7 years ago
5 years ago

People

(Reporter: posidron, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {verified1.9.2})

1.9.2 Branch
x86
Mac OS X
verified1.9.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 .13-fixed, status1.9.1 .16-fixed)

Details

Attachments

(4 attachments)

(Reporter)

Description

7 years ago
Created attachment 475082 [details]
testcase

Table: b'prep'
Number of replaced values: 2
Offset:          6/0x000006	Value: ['ff', 'ff']
Offset:         11/0x00000b	Value: ['80', '00', '00', '00']

  <prep>
    <assembly>
      PUSHW[ ]  /* 4 values pushed */
      1 2 255 -256
      CALL[ ]
      CALL[ ]
      FLIPPT[ ]
      SVTCA[0]
      SVTCA[0]
      SVTCA[0]
      AND[ ]
      SVTCA[0]
      GC[0]
      SVTCA[0]
      SHP[0]
      SVTCA[0]
      SSWCI[ ]
      SVTCA[0]
      SFVTL[0]
      CALL[ ]
      PUSHW[ ]  /* 6 values pushed */
      1 45 35 25 15 8
      CALL[ ]
    </assembly>
  </prep>
(Reporter)

Comment 1

7 years ago
Created attachment 475083 [details]
callstack
blocking2.0: --- → ?

Updated

7 years ago
Assignee: nobody → jdaggett

Updated

7 years ago
Summary: Malformed font leads to crash [@fnt_FLIPPT] → Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]

Comment 2

7 years ago
Braden Thomas from Apple says they've fixed a bunch of libTrueTypeScaler bugs in the 10.6 seed, since they've been fuzzing it themselves recently.  Christoph, if we hook you up with a 10.6 seed, can you retest these bugs?
(Reporter)

Comment 3

7 years ago
Yes, why not.
blocking2.0: ? → final+

Comment 4

7 years ago
Fixed in 10.6.5 10H542 (seed build)
(Assignee)

Comment 5

7 years ago
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: 527276
(Assignee)

Updated

7 years ago
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.2: --- → .13-fixed
Resolution: --- → FIXED
1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
Whiteboard: [qa-ntd-192]
Ah, I see this was fixed in 10.6.5, which I am running on.
Whiteboard: [qa-ntd-192]
(Assignee)

Comment 8

7 years ago
(In reply to comment #6)
> 1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in
> it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12)
> Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?

The original report was filed against 1.9.2, and the callstack confirms that's what he was running (3.6.10pre, to be exact).

Quite a few (but not all) of these fuzzed-font bugs have been fixed in recent 10.6.x updates, so running an older build of 10.6 (or even 10.5) may be a better way to confirm our fixes.
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in
1.9.2.12 when run on OS X 10.6.4.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
(Reporter)

Comment 10

7 years ago
Created attachment 492103 [details]
testcase - 3.6.13pre - MacOSX 10.6.5

Confirmed, the old testcase doesn't work anymore. 
Attached is a new one which crashes at the same place.
(Reporter)

Comment 11

7 years ago
Created attachment 492104 [details]
callstack - 3.6.13pre - MacOSX 10.6.5
status1.9.1: --- → .16-fixed
(Reporter)

Updated

5 years ago
Blocks: 750695
You need to log in before you can comment on or make changes to this bug.