Closed Bug 580730 Opened 14 years ago Closed 14 years ago

Invalid values in TT's glyf table leading to crash [@TSparseCoordsListPerComposits::GetCoords()]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .13-fixed
status1.9.1 --- .16-fixed

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: verified1.9.2, Whiteboard: rdar://8233435)

Attachments

(3 files, 1 obsolete file)

callstack
(deleted), text/plain
Details
Safari callstack
(deleted), text/plain
Details
testcase
(deleted), application/zip
Details
Attached file testcase (obsolete) (deleted) —
Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US; rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre I am testing something new. Currently I can't provide you guys with the exact values/tables. Load the provided html file.
Attached file callstack (deleted) —
blocking2.0: --- → ?
blocking2.0: ? → final+
Assignee: nobody → jdaggett
Christoph, any idea what table/offsets you were fuzzing? It would really help tracking down the cause. I'm guessing somewhere in the glyf table but that probably needs to be verified. For OSX cases, could you note when a testcase also crashes in Safari? That helps raise the priority when reporting it to Apple.
John, it is the glyf table. I am currently trying to reduce the testcase. Yes, Safari is affected too.
Summary: Invalid values in TT font leading to crash [@TSparseCoordsListPerComposits::GetCoords()] → Invalid values in TT's glyf table leading to crash [@TSparseCoordsListPerComposits::GetCoords()]
Attached file Safari callstack (deleted) —
Crashes in Safari on 10.6.4 but not 10.5.8.
Logged rdar://8233435 with Apple.
Attached file testcase (deleted) —
testcase.zip includes: values.txt
Attachment #459103 - Attachment is obsolete: true
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.2: --- → .13-fixed
Resolution: --- → FIXED
Verified fixed in 1.9.2.13 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13pre) Gecko/20101118 Namoroka/3.6.13pre using testcase. Test no longer crashes as it does in 1.9.2.12. (This was tested on OS X 10.6.5 but crash was verified first.)
Keywords: verified1.9.2
Blocks: fuzzing-fonts
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: