Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US; rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre Invalid values are: Offsets: dict_items([(129665, b'\xff\xff\xff\xff'), (76865, b'\xff\xc4@\x0f'), (107273, b'\x80\x00'), (67850, b'\xff\xff'), (160139, b'\x7f\xff'), (125708, b'\x80\x00'), (151957, b'\x7f\xff'), (152730, b'\xff\xff\xff\xff'), (17582, b'\xff\xff'), (11056, b'\x7f\xff'), (24369, b'@\x00'), (30006, b' \x00'), (136129, b'@\x00'), (92738, b'\x80\x00\x00\x00'), (101345, b'\x7f\xff\xff\xff'), (33608, b'@\x00'), (167753, b'\xff\xc4@\x0f'), (4176, b'\xff\xc4@\x0f'), (4561, b'\xff\xff'), (63828, b'\xff\xc4@\x0f'), (65365, b'\xff\xc4@\x0f'), (148825, b'\xff\xc4@\x0f'), (171482, b'\x80\x00\x00\x00'), (58843, b' \x00'), (73568, b' \x00'), (108897, b'\xff\xff\xff\xff'), (80358, b' \x00'), (137320, b'\x7f\xff\xff\xff'), (151785, b'\xff\xff'), (140397, b'\x80\x00'), (15475, b' \x00'), (150121, b'@\x00'), (31489, b'\x7f\xff'), (169725, b'\xff\xc4@\x0f'), (131839, b'\x80\x00')]) Load the provided html file.

This is a crash within the CoreGraphics font rasterizer; there's little we can do about this except report it to Apple and hope they'll make CG more robust.

Note that Safari crashes with a similar callstack on this testcase.

Filed rdar://8222223 to report this to Apple.

BTW, what do those offsets in the description mean? Are those offsets into the file itself, or into a given table (e.g. the 'glyf' table)?

Correct, offsets into the file itself.

This will be fixed by the OTS sanitizer (bug 527276).

This is fixed on trunk and 1.9.2 by the sanitizer blocking the fuzzed font.

QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.