Closed Bug 1272170 Opened 8 years ago Closed 7 years ago

freetype2: UBSan: null pointer passed as argument 2, which is declared to never be null [@cff_index_get_name] in cffload.c:605

Categories

(Core :: Graphics: Text, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox51 --- wontfix
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: gfx-noted)

Attachments

(1 file)

1.52 KB, application/x-font-ttf
Details
Attached file test_case.ttf
Found while fuzzing freetype2 commit cdc8f4d9330b0e402fbc22e22c13c30656d1c3cd(>2.6.3)

To reproduce run the attached test case with ftrandom built with Undefined Behavior Sanitizer.

/home/user/code/freetype2/src/cff/cffload.c:605:7: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:47:28: note: nonnull attribute specified here
    #0 0x6592b7 in cff_index_get_name /home/user/code/freetype2/src/cff/cffload.c:605:7
    #1 0x608581 in cff_font_load /home/user/code/freetype2/src/cff/cffload.c:1665:23
    #2 0x608581 in cff_face_init /home/user/code/freetype2/src/cff/cffobjs.c:582
    #3 0x5025bf in open_face /home/user/code/freetype2/src/base/ftobjs.c:1177:15
    #4 0x4ff659 in FT_Open_Face /home/user/code/freetype2/src/base/ftobjs.c:2177:19
    #5 0x4fed0e in FT_New_Face /home/user/code/freetype2/src/base/ftobjs.c:1240:12
    #6 0x4e38b7 in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:139:10
    #7 0x4e38b7 in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
    #8 0x7fdebd94fec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)
Whiteboard: gfx-noted
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1176531
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.