Closed
Bug 596227
Opened 14 years ago
Closed 14 years ago
Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
Categories
(Core :: Graphics, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: posidron, Assigned: jfkthame)
References
(Blocks 1 open bug)
Details
(Keywords: verified1.9.2)
Attachments
(4 files)
Table: b'prep' Number of replaced values: 2 Offset: 6/0x000006 Value: ['ff', 'ff'] Offset: 11/0x00000b Value: ['80', '00', '00', '00'] <prep> <assembly> PUSHW[ ] /* 4 values pushed */ 1 2 255 -256 CALL[ ] CALL[ ] FLIPPT[ ] SVTCA[0] SVTCA[0] SVTCA[0] AND[ ] SVTCA[0] GC[0] SVTCA[0] SHP[0] SVTCA[0] SSWCI[ ] SVTCA[0] SFVTL[0] CALL[ ] PUSHW[ ] /* 6 values pushed */ 1 45 35 25 15 8 CALL[ ] </assembly> </prep>
Reporter | ||
Comment 1•14 years ago
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
Assignee: nobody → jdaggett
Updated•14 years ago
|
Summary: Malformed font leads to crash [@fnt_FLIPPT] → Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
Comment 2•14 years ago
|
||
Braden Thomas from Apple says they've fixed a bunch of libTrueTypeScaler bugs in the 10.6 seed, since they've been fuzzing it themselves recently. Christoph, if we hook you up with a 10.6 seed, can you retest these bugs?
Reporter | ||
Comment 3•14 years ago
|
||
Yes, why not.
Updated•14 years ago
|
blocking2.0: ? → final+
Comment 4•14 years ago
|
||
Fixed in 10.6.5 10H542 (seed build)
Assignee | ||
Comment 5•14 years ago
|
||
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Assignee | ||
Updated•14 years ago
|
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.2:
--- → .13-fixed
Resolution: --- → FIXED
Comment 6•14 years ago
|
||
1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
Whiteboard: [qa-ntd-192]
Comment 7•14 years ago
|
||
Ah, I see this was fixed in 10.6.5, which I am running on.
Updated•14 years ago
|
Whiteboard: [qa-ntd-192]
Assignee | ||
Comment 8•14 years ago
|
||
(In reply to comment #6) > 1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in > it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) > Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2? The original report was filed against 1.9.2, and the callstack confirms that's what he was running (3.6.10pre, to be exact). Quite a few (but not all) of these fuzzed-font bugs have been fixed in recent 10.6.x updates, so running an older build of 10.6 (or even 10.5) may be a better way to confirm our fixes.
Comment 9•14 years ago
|
||
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in 1.9.2.12 when run on OS X 10.6.4.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Reporter | ||
Comment 10•14 years ago
|
||
Confirmed, the old testcase doesn't work anymore. Attached is a new one which crashes at the same place.
Reporter | ||
Comment 11•14 years ago
|
||
Updated•14 years ago
|
status1.9.1:
--- → .16-fixed
Reporter | ||
Updated•12 years ago
|
Blocks: fuzzing-fonts
You need to log in
before you can comment on or make changes to this bug.
Description
•