Bug 512684

Summary: OpenJDK Font processing DoS vulnerability
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: aph, dbhole, patrickm, rruss, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-21 22:51:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Schoenefeld 2009-07-20 11:40:00 UTC 
A set of crash vulnerabilities in the OpenJDK font processing routines
have been detected. They crash the VM on F10 and F11, EL5 packages did not crash.  

To start the reproducer use: 

java FontFuzzRandom /usr/share/fonts/lohit-oriya/lohit_or.ttf


#
# A fatal error has been detected by the Java Runtime Environment:
#
#  Internal Error (nmethod.cpp:1851), pid=16913, tid=20683664
#  Error: guarantee(cont_offset != 0,"unhandled implicit exception in compiled c
ode")
#

or 

#  SIGSEGV (0xb) at pc=0x00f89a4d, pid=21610, tid=85552016
#
# JRE version: 6.0-b16
# Java VM: OpenJDK Client VM (14.0-b15 mixed mode linux-x86 )
# Distribution: Custom build (Thu Jul  9 14:26:35 EDT 2009)
# Problematic frame:
# J  java.lang.StringCoding$StringEncoder.encode([CII)[B


As font data can be supplied via untrusted client code, 
the parsing methods should be checked for proper behavior.