Last Comment Bug 596227 - Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
: Malformed font leads to crash in Apple's libTrueTypeScaler [@ fnt_FLIPPT]
Status: VERIFIED FIXED
: verified1.9.2
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: 1.9.2 Branch
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Jonathan Kew (:jfkthame)
:
:
Mentors:
Depends on: CVE-2010-3768
Blocks: fuzzing-fonts
  Show dependency treegraph
 
Reported: 2010-09-14 08:19 PDT by Christoph Diehl [:posidron]
Modified: 2012-05-01 06:50 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.13-fixed
.16-fixed


Attachments
testcase (91.41 KB, application/zip)
2010-09-14 08:19 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (44.64 KB, text/plain)
2010-09-14 08:20 PDT, Christoph Diehl [:posidron]
no flags Details
testcase - 3.6.13pre - MacOSX 10.6.5 (100.54 KB, application/zip)
2010-11-20 14:54 PST, Christoph Diehl [:posidron]
no flags Details
callstack - 3.6.13pre - MacOSX 10.6.5 (49.81 KB, text/plain)
2010-11-20 14:55 PST, Christoph Diehl [:posidron]
no flags Details

Description Christoph Diehl [:posidron] 2010-09-14 08:19:46 PDT
Created attachment 475082 [details]
testcase

Table: b'prep'
Number of replaced values: 2
Offset:          6/0x000006	Value: ['ff', 'ff']
Offset:         11/0x00000b	Value: ['80', '00', '00', '00']

  <prep>
    <assembly>
      PUSHW[ ]  /* 4 values pushed */
      1 2 255 -256
      CALL[ ]
      CALL[ ]
      FLIPPT[ ]
      SVTCA[0]
      SVTCA[0]
      SVTCA[0]
      AND[ ]
      SVTCA[0]
      GC[0]
      SVTCA[0]
      SHP[0]
      SVTCA[0]
      SSWCI[ ]
      SVTCA[0]
      SFVTL[0]
      CALL[ ]
      PUSHW[ ]  /* 6 values pushed */
      1 45 35 25 15 8
      CALL[ ]
    </assembly>
  </prep>
Comment 1 Christoph Diehl [:posidron] 2010-09-14 08:20:14 PDT
Created attachment 475083 [details]
callstack
Comment 2 Jesse Ruderman 2010-09-14 15:32:18 PDT
Braden Thomas from Apple says they've fixed a bunch of libTrueTypeScaler bugs in the 10.6 seed, since they've been fuzzing it themselves recently.  Christoph, if we hook you up with a 10.6 seed, can you retest these bugs?
Comment 3 Christoph Diehl [:posidron] 2010-09-14 15:37:05 PDT
Yes, why not.
Comment 4 John Daggett (:jtd) 2010-09-28 23:25:30 PDT
Fixed in 10.6.5 10H542 (seed build)
Comment 5 Jonathan Kew (:jfkthame) 2010-09-29 04:42:34 PDT
This will be fixed by the OTS sanitizer (bug 527276).
Comment 6 Al Billings [:abillings] 2010-11-18 13:44:08 PST
1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?
Comment 7 Al Billings [:abillings] 2010-11-18 13:46:03 PST
Ah, I see this was fixed in 10.6.5, which I am running on.
Comment 8 Jonathan Kew (:jfkthame) 2010-11-18 14:07:40 PST
(In reply to comment #6)
> 1.9.2.12 seems to be unaffected by this. The testcase does not cause a crash in
> it (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12)
> Gecko/20101026 Firefox/3.6.12). Was this ever actually seen to crash on 1.9.2?

The original report was filed against 1.9.2, and the callstack confirms that's what he was running (3.6.10pre, to be exact).

Quite a few (but not all) of these fuzzed-font bugs have been fixed in recent 10.6.x updates, so running an older build of 10.6 (or even 10.5) may be a better way to confirm our fixes.
Comment 9 Al Billings [:abillings] 2010-11-19 17:32:15 PST
Verified fixed for 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.6; en-US; rv:1.9.2.13pre) Gecko/20101119 Namoroka/3.6.13pre. Crashes in
1.9.2.12 when run on OS X 10.6.4.
Comment 10 Christoph Diehl [:posidron] 2010-11-20 14:54:09 PST
Created attachment 492103 [details]
testcase - 3.6.13pre - MacOSX 10.6.5

Confirmed, the old testcase doesn't work anymore. 
Attached is a new one which crashes at the same place.
Comment 11 Christoph Diehl [:posidron] 2010-11-20 14:55:15 PST
Created attachment 492104 [details]
callstack - 3.6.13pre - MacOSX 10.6.5

Note You need to log in before you can comment on or make changes to this bug.