1243832 - graphite2: crash around null in [@graphite2::Slot::setGlyph]

Status: RESOLVED FIXED

Description

[Tyson Smith [:tsmith]]

Created attachment 8713280 [details]
test_case.ttf

This was found while fuzzing graphite2 1.3.4

Not sure if this is a security issue please indicate if it should be opened.

==41091==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f3a575dc5c5 bp 0x7ffd5f7de600 sp 0x7ffd5f7de5b0 T0)
    #0 0x7f3a575dc5c4 in graphite2::Slot::setGlyph(graphite2::Segment*, unsigned short, graphite2::GlyphFace const*) /home/user/code/graphite/src/Slot.cpp:449:15
    #1 0x7f3a57556f1d in (anonymous namespace)::direct_run(bool, void* const*, unsigned char const*, int*, graphite2::Slot**&, unsigned char, graphite2::SlotMap*) /home/user/code/graphite/src/inc/opcodes.h:599:9
    #2 0x7f3a575585a3 in graphite2::vm::Machine::run(void* const*, unsigned char const*, graphite2::Slot**&) /home/user/code/graphite/src/direct_machine.cpp:114:17
    #3 0x7f3a57571b17 in graphite2::vm::Machine::Code::run(graphite2::vm::Machine&, graphite2::Slot**&) const /home/user/code/graphite/src/Code.cpp:731:13
    #4 0x7f3a575b7c9f in graphite2::Pass::doAction(graphite2::vm::Machine::Code const*, graphite2::Slot*&, graphite2::vm::Machine&) const /home/user/code/graphite/src/Pass.cpp:665:17
    #5 0x7f3a575b7c9f in graphite2::Pass::findNDoRule(graphite2::Slot*&, graphite2::vm::Machine&, graphite2::FiniteStateMachine&) const /home/user/code/graphite/src/Pass.cpp:535
    #6 0x7f3a575b6296 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const /home/user/code/graphite/src/Pass.cpp:410:13
    #7 0x7f3a575d1c4a in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const /home/user/code/graphite/src/Silf.cpp:423:21
    #8 0x7f3a5759035b in graphite2::Face::runGraphite(graphite2::Segment*, graphite2::Silf const*) const /home/user/code/graphite/src/Face.cpp:180:16
    #9 0x7f3a5755fccd in graphite2::Segment::runGraphite() /home/user/code/graphite/src/inc/Segment.h:97:45
    #10 0x7f3a5755fccd in (anonymous namespace)::makeAndInitialize(graphite2::Font const*, graphite2::Face const*, unsigned int, graphite2::FeatureVal const*, gr_encform, void const*, unsigned long, int) /home/user/code/graphite/src/gr_segment.cpp:46
    #11 0x7f3a5755fccd in gr_make_seg /home/user/code/graphite/src/gr_segment.cpp:105
    #12 0x4e76e3 in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:680:20
    #13 0x4e8845 in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:782:9
    #14 0x7f3a571a4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #15 0x41a545 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41a545)

Comment 1

[Tyson Smith [:tsmith]]

Created attachment 8713694 [details]
gr2_test_string.txt

Comment 2

[martin_hosken]

fixed upstream

Comment 3

[Tyson Smith [:tsmith]]

This issue is reproducible in latest revision (df41ce06dda5962b9ff1c8c3175af00005d5fc0f)

Comment 4

[martin_hosken]

OK Identified the test string that makes this fail. Fixed? upstream in aed0effc27edfb9da441dce3c77f5a1a3fd9f7db. Previously had assumed it was picked up by another fix because the particular test string wasn't failing. Sorry about that.

Comment 5

[Tyson Smith [:tsmith]]

No problem, thanks for the fix Martin.

Verified with revision aed0effc27edfb9da441dce3c77f5a1a3fd9f7db

Comment 6

[Luna Jernberg]

http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
glad its fixed :)

Comment 7

[martin_hosken]

Well security researchers have to blow their own trumpets even if it means finding bugs in old code! Graphite is such a joy to fuzz!