Closed Bug 583715 Opened 14 years ago Closed 14 years ago

Invalid values in TTs glyf & EBLC table leading to hang [@GDI32!NtGdiGetCharABCWidthsW]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: posidron, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

Attachments

(3 files, 2 obsolete files)

testcase-EBLC
(deleted), application/x-zip
Details
testcase-glyf
(deleted), application/x-zip
Details
callstack
(deleted), text/plain
Details
Attached file testcase (obsolete) (deleted) —
Tag: b'glyf' Checksum: 0x4e72dd01 Offset: 6556/0x0000199c Length: 41176 Offset: 27651/0x006c03 Value: ['80', '00', '00', '00'] Offset: 27970/0x006d42 Value: ['ff'] IE is not affected. Load the provided html file.
Summary: Invalid values in TTs glyf table leading to hang → Invalid values in TTs glyf table leading to hang [@USP10!UspFreeMem]
Attached file callstack (obsolete) (deleted) —
blocking2.0: --- → ?
Summary: Invalid values in TTs glyf table leading to hang [@USP10!UspFreeMem] → Invalid values in TTs glyf & EBLC table leading to hang [@GDI32!NtGdiGetCharABCWidthsW]
Attached file testcase-EBLC (deleted) —
Attached file testcase-glyf (deleted) —
Attachment #462041 - Attachment is obsolete: true
Attached file callstack (deleted) —
Attachment #462043 - Attachment is obsolete: true
tag: b'EBLC' checksum: 0x00015e24 offset: 332/0x0000014c length: 1568 Table: b'EBLC' Number of replaced values: 3 Offset: 668/0x00029c Value: ['ff', 'c4', '40', '0f'] Offset: 1249/0x0004e1 Value: ['ff', 'c4', '40', '0f'] Offset: 1284/0x000504 Value: ['ff'] Note: in this testcase the font-size must equal 10 IE is not affected.
John, you're cool with win32 font stuff, right?
Assignee: nobody → jdaggett
blocking2.0: ? → final+
If this helps, in bug 584185 (dup of this bug) i created a small sample extracted from the URL indicated in that bug. I can reproduce this in WIN 7 32 bits too.
This will be fixed by the OTS sanitizer (bug 527276).
Depends on: CVE-2010-3768
Checked that OTS blocks the bad fonts from both testcases here.
Assignee: jdaggett → jfkthame
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Blocks: fuzzing-fonts
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: