Closed
Bug 1272173
Opened 8 years ago
Closed 8 years ago
freetype2: UBSan: null pointer passed as argument 1, which is declared to never be null [@ft_mem_realloc] in src/base/ftutil.c:105
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: gfx-noted)
Attachments
(2 files, 2 obsolete files)
Found while fuzzing freetype2 commit cdc8f4d9330b0e402fbc22e22c13c30656d1c3cd(>2.6.3) To reproduce run the attached test case with ftrandom built with Undefined Behavior Sanitizer. /home/user/code/freetype2/src/base/ftutil.c:105:7: runtime error: null pointer passed as argument 1, which is declared to never be null /usr/include/string.h:66:62: note: nonnull attribute specified here #0 0x4f15fc in ft_mem_realloc /home/user/code/freetype2/src/base/ftutil.c:105:7 #1 0x6b77eb in FNT_Load_Glyph /home/user/code/freetype2/src/winfonts/winfnt.c:1074:12 #2 0x4e72a9 in FT_Load_Glyph /home/user/code/freetype2/src/base/ftobjs.c:742:15 #3 0x4e3c4d in TestFace /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12 #4 0x4e3c4d in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143 #5 0x4e3c4d in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166 #6 0x7f139a540ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #7 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)
Updated•8 years ago
|
Whiteboard: gfx-noted
Reporter | ||
Comment 1•8 years ago
|
||
Still reproducible with freetype2 commit 125f2b63a503ecb1f78f86b4ebfb0303c0a46788(>2.6.5)
Comment 2•8 years ago
|
||
Not reproducible for me, alas. Please post the actual fuzzer instance generated by ftrandom that triggers the error.
Flags: needinfo?(twsmith)
Reporter | ||
Comment 3•8 years ago
|
||
Sorry here is an updated test case. I will also post the fuzzer.
Reporter | ||
Comment 4•8 years ago
|
||
Attachment #8751541 -
Attachment is obsolete: true
Attachment #8780692 -
Attachment is obsolete: true
Reporter | ||
Comment 5•8 years ago
|
||
Marking as s-s since I am attaching the fuzzer. FWIW most of the code in it is public.
Group: gfx-core-security
Keywords: sec-other
Reporter | ||
Comment 6•8 years ago
|
||
Most of the code here I repurposed from ftfuzzer. Any suggestions for increased API coverage and/or speed would be great.
Flags: needinfo?(twsmith)
Comment 7•8 years ago
|
||
Fixed now in git. Thanks for the report!
Reporter | ||
Comment 8•8 years ago
|
||
Thanks! Verified fixed with freetype2 revision 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•