Marc Schoenefeld reported the following crash to security@mozilla.org: With the fuzzed font he generated (testcase attached) Firefox 3.6.8 crashes on Windows down in Uniscribe code. I couldn't get Minefield to crash using the same testcase, so I'm marking it 1.9.2 only: Crash on 1.9.2: bp-ca776bc8-29a2-49a1-9fbc-ae90c2100817

I wonder if this problem can also be reached via flash as in this hang stack that looks like: http://crash-stats.mozilla.com/report/index/21a1c003-db6d-412a-965f-daab42100805 the signature also occurs in the wild at low volume when people hit facebook, youtube and orkut on 3.0.x, 3.5.x, and 3.6.x 20100704-crashdata.csv:FindFeature(otlLangSysTable const&, otlFeatureListTable const&, long, unsigned char const*) 3.0.19 http://www.youtube.com/my_subscriptions?pi=0&ps=20&sf=added&sa=0&dm=2&s=eg7_LYwokUk&as=1 http://crash-stats.mozilla.com/report/index/17ac8e8d-e2d7-4d03-b783-f26cf2100704 20100713-crashdata.csv: FindFeature(otlLangSysTable const&, otlFeatureListTable const&, long, unsigned char const*) 3.5.10 about:blank http://crash-stats.mozilla.com/report/index/be3e6f11-f88d-485b-b035-3de892100713 20100719-crashdata.csv: FindFeature(otlLangSysTable const&, otlFeatureListTable const&, long, unsigned char const*) 3.6.6 http://www.facebook.com/ http://crash-stats.mozilla.com/report/index/e17f95ad-e74c-4c69-a19d-2978e2100719

Changing from sg:vector to sg:critical. It may be a crash in Windows, but we're the one downloading random fonts from the web and need to work around this. One idea is to incorporate chromium's ots font sanitizer.

Checked that the sanitizer blocks the "bad" font here - resolving this as fixed. (In reply to comment #0) > I couldn't get Minefield to crash using the > same testcase, so I'm marking it 1.9.2 only: This is likely because Minefield was using the harfbuzz back-end rather than Uniscribe, so it didn't hit the same fragile codepath.