Bug 18352 - crash loading malicious font
Summary: crash loading malicious font
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: Macintosh OS X 10.4
: P2 Major
Assignee: mitz
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-04-07 22:42 PDT by John Daggett
Modified: 2008-05-21 14:51 PDT (History)
3 users (show)

See Also:


Attachments
testcase, uses malicious downloadable font (818 bytes, text/html)
2008-04-07 22:43 PDT, John Daggett
no flags Details
crash reporter output when crash does occur (24.70 KB, text/plain)
2008-04-07 22:45 PDT, John Daggett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Daggett 2008-04-07 22:42:56 PDT
Wrote a simple testcase that uses the malicious font described here:

http://cg.scs.carleton.ca/~luc/opentypecrash.html

Running with Safari 3.1 latest, the page *sometimes* crashes, other times it just displays Last Resort glyphs for the text assigned the style that uses the bad font.  Doesn't seem to occur with WebKit latest builds, although I'm guessing that's more luck than anything else.
Comment 1 John Daggett 2008-04-07 22:43:48 PDT
Created attachment 20393 [details]
testcase, uses malicious downloadable font
Comment 2 John Daggett 2008-04-07 22:45:25 PDT
Created attachment 20394 [details]
crash reporter output when crash does occur
Comment 3 John Daggett 2008-04-07 22:55:25 PDT
Doesn't crash with Safari 3.1 525.13 Windows
Comment 4 mitz 2008-04-09 00:20:08 PDT
Can’t reproduce on Leopard, but the crash report is from Tiger.
Comment 5 mitz 2008-04-09 22:49:57 PDT
Confirmed on Mac OS X 10.4.11. Seems like ATS refuses to actually activate the font, but WebCore may not be handling this well.
Comment 6 mitz 2008-04-09 22:50:31 PDT
<rdar://problem/5854517>
Comment 7 John Daggett 2008-04-10 00:09:02 PDT
Note that the font has bad glyph data, the bug is caused by the specific charstring used for the 'o' glyph.  So my guess is that ATS will probably activate the font but will run into problems when attempting to measure and/or rasterize the actual glyphs.  My guess is that ATSUI code is not properly handling some ATS-related error and accessing random memory, hence the error.
Comment 8 mitz 2008-05-21 14:51:52 PDT
Fixed in <http://trac.webkit.org/changeset/33977>.