Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 597942 - Malformed font leads to crash in Apple's ATSUI [@AppendOTFeaturesFromTable]
: Malformed font leads to crash in Apple's ATSUI [@AppendOTFeaturesFromTable]
: verified1.9.2
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: 1.9.2 Branch
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Jonathan Kew (:jfkthame)
: Milan Sreckovic [:milan] (PTO through Oct 23)
Depends on: CVE-2010-3768
Blocks: fuzzing-fonts
  Show dependency treegraph
Reported: 2010-09-19 22:22 PDT by Christoph Diehl [:posidron]
Modified: 2012-05-01 06:50 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (99.15 KB, application/zip)
2010-09-19 22:22 PDT, Christoph Diehl [:posidron]
no flags Details
callstack (42.53 KB, text/plain)
2010-09-19 22:23 PDT, Christoph Diehl [:posidron]
no flags Details
callstack on trunk with harfbuzz disabled (90.66 KB, text/plain)
2010-09-22 00:45 PDT, John Daggett (:jtd)
no flags Details
testcase (87.34 KB, application/zip)
2010-09-27 11:30 PDT, Christoph Diehl [:posidron]
no flags Details

Description Christoph Diehl [:posidron] 2010-09-19 22:22:56 PDT
Created attachment 476715 [details]

Table: b'GPOS'
Number of replaced values: 4
Offset:  39/0x000027	Value: ['7f', 'ff']
Offset:  45/0x00002d	Value: ['ff', 'ff', 'ff', 'ff']
Offset:  47/0x00002f	Value: ['7f', 'ff']
Offset:  52/0x000034	Value: ['80', '00', '00', '00']

ProductName:	Mac OS X
ProductVersion:	10.6.5
BuildVersion:	10H542
Comment 1 Christoph Diehl [:posidron] 2010-09-19 22:23:46 PDT
Created attachment 476716 [details]
Comment 2 John Daggett (:jtd) 2010-09-22 00:45:55 PDT
Created attachment 477432 [details]
callstack on trunk with harfbuzz disabled

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre

Running with harfbuzz disabled on 10.6.5 latest seed (10H542)
Comment 3 Christoph Diehl [:posidron] 2010-09-27 11:30:03 PDT
Created attachment 478819 [details]

Attached is a new simplified testcase, callstack is the same.

Top Mode: replace
Sub Mode: table spread
Table: b'GSUB'
Number of values: 1
Offset:   55/0x000037  Value: ['ff', 'ff']
Comment 4 Jonathan Kew (:jfkthame) 2010-09-29 04:40:49 PDT
This will be fixed by the OTS sanitizer (bug 527276).
Comment 5 Al Billings [:abillings] 2010-11-18 13:41:24 PST
Verified fixed in (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20101118 Namoroka/3.6.13pre) using testcase. crashes reliably with it and .13pre is unaffected.

Note You need to log in before you can comment on or make changes to this bug.