freetype2: UBSan: null pointer passed as argument 2, which is declared to never be null [@cff_index_get_name] in cffload.c:605

RESOLVED FIXED in Firefox 52

Status

()

Core
Graphics: Text
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, {crash, csectype-nullptr, testcase})

unspecified
mozilla53
crash, csectype-nullptr, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 wontfix, firefox52 fixed, firefox53 fixed)

Details

(Whiteboard: gfx-noted)

Attachments

(1 attachment)

1.52 KB, application/x-font-ttf
Details
(Reporter)

Description

2 years ago
Created attachment 8751536 [details]
test_case.ttf

Found while fuzzing freetype2 commit cdc8f4d9330b0e402fbc22e22c13c30656d1c3cd(>2.6.3)

To reproduce run the attached test case with ftrandom built with Undefined Behavior Sanitizer.

/home/user/code/freetype2/src/cff/cffload.c:605:7: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:47:28: note: nonnull attribute specified here
    #0 0x6592b7 in cff_index_get_name /home/user/code/freetype2/src/cff/cffload.c:605:7
    #1 0x608581 in cff_font_load /home/user/code/freetype2/src/cff/cffload.c:1665:23
    #2 0x608581 in cff_face_init /home/user/code/freetype2/src/cff/cffobjs.c:582
    #3 0x5025bf in open_face /home/user/code/freetype2/src/base/ftobjs.c:1177:15
    #4 0x4ff659 in FT_Open_Face /home/user/code/freetype2/src/base/ftobjs.c:2177:19
    #5 0x4fed0e in FT_New_Face /home/user/code/freetype2/src/base/ftobjs.c:1240:12
    #6 0x4e38b7 in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:139:10
    #7 0x4e38b7 in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
    #8 0x7fdebd94fec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #9 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)
Whiteboard: gfx-noted
(Reporter)

Updated

a year ago
Status: NEW → RESOLVED
Last Resolved: a year ago
Depends on: 1176531
Resolution: --- → FIXED
status-firefox51: --- → wontfix
status-firefox52: --- → affected
status-firefox53: --- → fixed
Target Milestone: --- → mozilla53
status-firefox52: affected → fixed
You need to log in before you can comment on or make changes to this bug.