Closed Bug 1272170 Opened 8 years ago Closed 8 years ago

freetype2: UBSan: null pointer passed as argument 2, which is declared to never be null [@cff_index_get_name] in cffload.c:605

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla53

Tracking Flags:

Tracking

Status

firefox51

---

wontfix

firefox52

---

fixed

firefox53

---

fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: gfx-noted)

Attachments

(1 file)

test_case.ttf 8 years ago Tyson Smith [:tsmith] 1.52 KB, application/x-font-ttf		Details

Tyson Smith [:tsmith]

Reporter

Description

•

8 years ago

Attached file test_case.ttf — Details

Found while fuzzing freetype2 commit cdc8f4d9330b0e402fbc22e22c13c30656d1c3cd(>2.6.3) To reproduce run the attached test case with ftrandom built with Undefined Behavior Sanitizer. /home/user/code/freetype2/src/cff/cffload.c:605:7: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:47:28: note: nonnull attribute specified here #0 0x6592b7 in cff_index_get_name /home/user/code/freetype2/src/cff/cffload.c:605:7 #1 0x608581 in cff_font_load /home/user/code/freetype2/src/cff/cffload.c:1665:23 #2 0x608581 in cff_face_init /home/user/code/freetype2/src/cff/cffobjs.c:582 #3 0x5025bf in open_face /home/user/code/freetype2/src/base/ftobjs.c:1177:15 #4 0x4ff659 in FT_Open_Face /home/user/code/freetype2/src/base/ftobjs.c:2177:19 #5 0x4fed0e in FT_New_Face /home/user/code/freetype2/src/base/ftobjs.c:1240:12 #6 0x4e38b7 in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:139:10 #7 0x4e38b7 in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166 #8 0x7fdebd94fec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #9 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)

Mason Chang [Inactive] [:mchang]

Updated

•

8 years ago

Whiteboard: gfx-noted

Tyson Smith [:tsmith]

Reporter

Comment 1

•

8 years ago

Logged as https://savannah.nongnu.org/bugs/index.php?48984

Tyson Smith [:tsmith]

Reporter

Comment 2

•

8 years ago

Fixed upstream: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f0fa7a67bfc334775b030d95cac763eeb7247436 Planned release: 2.7.0

Tyson Smith [:tsmith]

Reporter

Updated

•

8 years ago

Status: NEW → RESOLVED

Closed: 8 years ago

Depends on: 1176531

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Updated

•

8 years ago

status-firefox51: --- → wontfix

status-firefox52: --- → affected

status-firefox53: --- → fixed

Target Milestone: --- → mozilla53

Ryan VanderMeulen [:RyanVM]

Updated

•

8 years ago

status-firefox52: affected → fixed

You need to log in before you can comment on or make changes to this bug.

Bugzilla

freetype2: UBSan: null pointer passed as argument 2, which is declared to never be null [@cff_index_get_name] in cffload.c:605

Categories

(Core :: Graphics: Text, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: gfx-noted)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type