Closed Bug 1252943 Opened 8 years ago Closed 8 years ago

graphite2: UBSan null pointer passed as argument 1, which is declared to never be null [@graphite2::Pass::readStates]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- disabled
firefox46 --- fixed
firefox47 --- fixed
firefox48 --- fixed
firefox-esr38 46+ disabled
firefox-esr45 46+ disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-nullptr, sec-audit, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

55.95 KB, application/x-font-ttf
Details
Attached file test_case.ttf
This was found while fuzzing graphite2 latest revision (bc5409c573aa9ecccacd18cf713021272998cd35)

This issue was uncovered using Undefined Behavior Sanitizer (UBSan). More information can be found here: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html.

This is not a sec issue however I am hiding this bug because of the large number of bugs that have been found and I would like to avoid any unwanted attention until things calm down.

To reproduce:
Build with UBSan enabled.
run: ./gr2fonttest test_case.ttf -auto

/home/user/code/graphite/src/Pass.cpp:359:15: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/stdlib.h:766:30: note: nonnull attribute specified here
    #0 0x7f76d0a596aa in graphite2::Pass::readStates(unsigned char const*, unsigned char const*, unsigned char const*, graphite2::Face&, graphite2::Error&) /home/user/code/graphite/src/Pass.cpp:359:9
    #1 0x7f76d0a4a2db in graphite2::Pass::readPass(unsigned char const*, unsigned long, unsigned long, graphite2::Face&, graphite2::passtype, unsigned int, graphite2::Error&) /home/user/code/graphite/src/Pass.cpp:208:25
    #2 0x7f76d0abfb33 in graphite2::Silf::readGraphite(unsigned char const*, unsigned long, graphite2::Face&, unsigned int) /home/user/code/graphite/src/Silf.cpp:216:14
    #3 0x7f76d09c1831 in graphite2::Face::readGraphite(graphite2::Face::Table const&) /home/user/code/graphite/src/Face.cpp:149:14
    #4 0x7f76d08d7bdb in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) /home/user/code/graphite/src/gr_face.cpp:59:42
    #5 0x7f76d08d7339 in gr_make_face_with_ops /home/user/code/graphite/src/gr_face.cpp:89:16
    #6 0x7f76d08dafc3 in gr_make_file_face /home/user/code/graphite/src/gr_face.cpp:242:23
    #7 0x4f5f9d in Parameters::testFileFont() const /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:633:20
    #8 0x4fd33b in main /home/user/code/graphite/gr2fonttest/gr2FontTest.cpp:787:9
    #9 0x7f76d0430ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #10 0x41b985 in _start (/home/user/Desktop/graphite/gr2fonttest+0x41b985)
Blocks: 1252951
Blocks: 1252952
fixed? in or before 3d80c6b69fd647fdb134987e2e87ea830e93e3a4. Probably the same as some other bug.
Oops fixed the UBSan aspect. Fixed? in e7deaf90c9c8ca30116340419313af527fe90d78
Whiteboard: [gfx-noted]
Depends on: 1255158
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated on all affected branches including ESRs.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.