- From: Sergey Malkin <sergeym@microsoft.com>
- Date: Tue, 27 Apr 2010 17:14:11 +0000
- To: John Daggett <jdaggett@mozilla.com>
- CC: "www-font@w3.org" <www-font@w3.org>, Chris Lilley <chris@w3.org>, "Thomas Phinney" <tphinney@cal.berkeley.edu>
John Daggett says: > Unfortunately, if obscure bugs in Uniscribe rendering can be utilized > for exploits, browser vendors will do whatever is necessary to avoid > that code path, even if it means less than ideal font functionality. You can say the same about any API from Windows or some other OS. It is developer's choice to use or not use particular functionality, of course. Microsoft products (and Mozilla's too) use Uniscribe all the time with embedded fonts. My question was exactly whether presence of already fixed security bugs justify unconditional crippling of very important functionality. > The problem here is that Uniscribe is a black box and my understanding > is that the Chrome team did some fuzzing of those API's and found > enough issues to be concerned (fixes for the bugs they found were > patched in Windows updates last fall and earlier this year I believe). I do not remember Uniscribe security fixes made last year. But I do not work on Uniscribe team anymore, so may've missed something. Did Chrome team report these issues to us? Thanks, Sergey
Received on Tuesday, 27 April 2010 17:14:47 UTC