Summary: | crash loading malicious font | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | John Daggett <jdaggett> | ||||||
Component: | Layout and Rendering | Assignee: | mitz | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Major | CC: | ap, gavin.sharp, mitz | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | 525.x (Safari 3.1) | ||||||||
Hardware: | Mac | ||||||||
OS: | OS X 10.4 | ||||||||
Attachments: |
|
Description
John Daggett
2008-04-07 22:42:56 PDT
Created attachment 20393 [details]
testcase, uses malicious downloadable font
Created attachment 20394 [details]
crash reporter output when crash does occur
Doesn't crash with Safari 3.1 525.13 Windows Can’t reproduce on Leopard, but the crash report is from Tiger. Confirmed on Mac OS X 10.4.11. Seems like ATS refuses to actually activate the font, but WebCore may not be handling this well. Note that the font has bad glyph data, the bug is caused by the specific charstring used for the 'o' glyph. So my guess is that ATS will probably activate the font but will run into problems when attempting to measure and/or rasterize the actual glyphs. My guess is that ATSUI code is not properly handling some ATS-related error and accessing random memory, hence the error. Fixed in <http://trac.webkit.org/changeset/33977>. |