WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
18352
crash loading malicious font
https://bugs.webkit.org/show_bug.cgi?id=18352
Summary
crash loading malicious font
John Daggett
Reported
2008-04-07 22:42:56 PDT
Wrote a simple testcase that uses the malicious font described here:
http://cg.scs.carleton.ca/~luc/opentypecrash.html
Running with Safari 3.1 latest, the page *sometimes* crashes, other times it just displays Last Resort glyphs for the text assigned the style that uses the bad font. Doesn't seem to occur with WebKit latest builds, although I'm guessing that's more luck than anything else.
Attachments
testcase, uses malicious downloadable font
(818 bytes, text/html)
2008-04-07 22:43 PDT
,
John Daggett
no flags
Details
crash reporter output when crash does occur
(24.70 KB, text/plain)
2008-04-07 22:45 PDT
,
John Daggett
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
John Daggett
Comment 1
2008-04-07 22:43:48 PDT
Created
attachment 20393
[details]
testcase, uses malicious downloadable font
John Daggett
Comment 2
2008-04-07 22:45:25 PDT
Created
attachment 20394
[details]
crash reporter output when crash does occur
John Daggett
Comment 3
2008-04-07 22:55:25 PDT
Doesn't crash with Safari 3.1 525.13 Windows
mitz
Comment 4
2008-04-09 00:20:08 PDT
Can’t reproduce on Leopard, but the crash report is from Tiger.
mitz
Comment 5
2008-04-09 22:49:57 PDT
Confirmed on Mac OS X 10.4.11. Seems like ATS refuses to actually activate the font, but WebCore may not be handling this well.
mitz
Comment 6
2008-04-09 22:50:31 PDT
<
rdar://problem/5854517
>
John Daggett
Comment 7
2008-04-10 00:09:02 PDT
Note that the font has bad glyph data, the bug is caused by the specific charstring used for the 'o' glyph. So my guess is that ATS will probably activate the font but will run into problems when attempting to measure and/or rasterize the actual glyphs. My guess is that ATSUI code is not properly handling some ATS-related error and accessing random memory, hence the error.
mitz
Comment 8
2008-05-21 14:51:52 PDT
Fixed in <
http://trac.webkit.org/changeset/33977
>.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug