Closed Bug 959578 Opened 7 years ago Closed 7 years ago

OTS accepts subtable offsets inside the GDEF/GSUB header

Categories

(Core :: Graphics: Text, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: fredw, Assigned: fredw)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

While trying to implement support for the MATH table (bug 407059), I realized that the size of the GDEF header is not computed correctly. It is set to 8 (10 in version 2) while it should be 12 (14 in version 2). It seems that the 4 bytes for the Version number have been forgotten in the computation.

This means that GlyphClassDef, AttachList, LigCaretList, MarkAttachClassDef and MarkGlyphSetsDef offsets may incorrectly point toward the two last bytes of the GDEF header.

I'm opening this as a security bug, but I don't think it is really exploitable since either the parsing of the subtable will fail or the subtable will be parsable without problem.

I will also report this upstream.
Attached patch ots-gdef.diffSplinter Review
Attachment #8359778 - Flags: review?(jfkthame)
Attachment #8359778 - Flags: review?(jdaggett)
LGTM, thanks.

Given that it's not a critical security issue, I'd prefer to take it as part of an OTS update rather than a local patch. However, if upstream doesn't respond and apply the fix soon, we could take it locally as a temporary fix.
Attachment #8359778 - Flags: review?(jfkthame)
Attachment #8359778 - Flags: review?(jdaggett)
Group: core-security
Summary: OTS accepts subtable offsets inside the GDEF header → OTS accepts subtable offsets inside the GDEF/GSUB header
Depends on: 941019
Fixed by bug 941019.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.