Marc Schoenefeld reported the following to security@m.o: ------ Hi, recently stumbled over this crash on ffx 3.6.10/OSX. It is exploitable according to crashwrangler, with an invalid write in CoreGraphics. Please keep me in the loop about the fix. Thanks Marc Faulty glyph (id:84) outline detected - replacing with a space/null glyph - in memory font kind Faulty glyph (id:84) outline detected - replacing with a space/null glyph - in memory font kind Faulty glyph (id:84) outline detected - replacing with a space/null glyph - in memory font kind firefox-bin(62711,0xa033d500) malloc: *** mmap(size=192512) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug Crashed thread log = 0 com.apple.CoreGraphics 0x93e033c2 CGSScanConvolveAndIntegrateRGB + 306 1 com.apple.CoreGraphics 0x93d1c596 CGSScanconverterRenderMask + 2415 2 com.apple.CoreGraphics 0x93c7e375 create_bitmap + 331 3 com.apple.CoreGraphics 0x93c7e816 CGFontCreateGlyphBitmap32 + 880 4 com.apple.CoreGraphics 0x93b57d89 create_missing_bitmaps + 363 5 com.apple.CoreGraphics 0x93b10ae7 CGGlyphLockLockGlyphBitmaps + 444 6 libRIP.A.dylib 0x9023a52b ripc_RenderGlyphs + 236 7 libRIP.A.dylib 0x90239f6f ripc_DrawGlyphs + 1501 8 com.apple.CoreGraphics 0x93b0ec92 draw_glyphs + 1508 9 com.apple.CoreGraphics 0x93b0e5e7 CGContextShowGlyphsWithAdvances + 527 10 XUL 0x00bc8324 cmmf_decode_process_cert_response + 201829 11 XUL 0x00bba69a cmmf_decode_process_cert_response + 145371 12 XUL 0x00ba2f5f cmmf_decode_process_cert_response + 49312 13 XUL 0x00b9848d cmmf_decode_process_cert_response + 5582 14 XUL 0x00b470b0 gfxFont::Draw(gfxTextRun*, unsigned int, unsigned int, gfxContext*, int, gfxPoint*, gfxFont::Spacing*) + 2464 15 XUL 0x00b424f5 gfxTextRun::DrawGlyphs(gfxFont*, gfxContext*, int, gfxPoint*, unsigned int, unsigned int, gfxTextRun::PropertyProvider*, unsigned int, unsigned int) + 181

With 10.6.5 the situation has changed, but not improved: exception=EXC_BAD_ACCESS:signal=10:is_exploitable=yes:instruction_disassembly=addw %ax,(%edi):instruction_address=0x00000000966a735f:access_type=write:access_address=0x0000000000002db8: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. Test case was ffx Process: firefox-bin [1226] Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 3.6.12 (3.6.12) Code Type: X86 (Native) Parent Process: exc_handler [1225] Date/Time: 2010-11-13 13:24:21.713 +0100 OS Version: Mac OS X 10.6.5 (10H574) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000002db8 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.CoreGraphics 0x966a735f CGSScanconverterRenderMask + 2108 1 com.apple.CoreGraphics 0x96609141 create_bitmap + 331 2 com.apple.CoreGraphics 0x966095e2 CGFontCreateGlyphBitmap32 + 880 3 com.apple.CoreGraphics 0x964e2a79 create_missing_bitmaps + 363 4 com.apple.CoreGraphics 0x9649b7c7 CGGlyphLockLockGlyphBitmaps + 444

I believe this is addressed by OTS in bug 527276, so it should be fixed in current trunk and 3.6.13-pre builds. Could you try to reproduce with the latest mozilla-1.9.2 build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/ and confirm whether the problem still occurs?

Checked that OTS blocks the bad font on both trunk and 1.9.2; closing this bug as Fixed.

OTS landed on 1.9.1 as well.