Closed Bug 959578 Opened 10 years ago Closed 10 years ago

OTS accepts subtable offsets inside the GDEF/GSUB header

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: fredw, Assigned: fredw)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

ots-gdef.diff
879 bytes, patch
Details | Diff | Splinter Review 
While trying to implement support for the MATH table (bug 407059), I realized that the size of the GDEF header is not computed correctly. It is set to 8 (10 in version 2) while it should be 12 (14 in version 2). It seems that the 4 bytes for the Version number have been forgotten in the computation.

This means that GlyphClassDef, AttachList, LigCaretList, MarkAttachClassDef and MarkGlyphSetsDef offsets may incorrectly point toward the two last bytes of the GDEF header.

I'm opening this as a security bug, but I don't think it is really exploitable since either the parsing of the subtable will fail or the subtable will be parsable without problem.

I will also report this upstream.
Attached patch ots-gdef.diffSplinter Review 

        Attachment #8359778 -
        Flags: review?(jfkthame)

        Attachment #8359778 -
        Flags: review?(jdaggett)

    
    

    
  
LGTM, thanks.

Given that it's not a critical security issue, I'd prefer to take it as part of an OTS update rather than a local patch. However, if upstream doesn't respond and apply the fix soon, we could take it locally as a temporary fix.

    
  

        Attachment #8359778 -
        Flags: review?(jfkthame)

        Attachment #8359778 -
        Flags: review?(jdaggett)
Group: core-security

    
  
Summary: OTS accepts subtable offsets inside the GDEF header → OTS accepts subtable offsets inside the GDEF/GSUB header

    
  
Depends on: 941019

    
    

    
  
Fixed by bug 941019.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

    
  
Whiteboard: [qa-]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: