Closed Bug 1272173 Opened 8 years ago Closed 8 years ago

freetype2: UBSan: null pointer passed as argument 1, which is declared to never be null [@ft_mem_realloc] in src/base/ftutil.c:105

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: gfx-noted)

Attachments

(2 files, 2 obsolete files)

test_case.ttf
1.50 KB, application/x-font-ttf
Details
ftrandom.c
4.31 KB, text/x-csrc
Details
Attached file test_case.ttf (obsolete) — 
Found while fuzzing freetype2 commit cdc8f4d9330b0e402fbc22e22c13c30656d1c3cd(>2.6.3)

To reproduce run the attached test case with ftrandom built with Undefined Behavior Sanitizer.

/home/user/code/freetype2/src/base/ftutil.c:105:7: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:66:62: note: nonnull attribute specified here
    #0 0x4f15fc in ft_mem_realloc /home/user/code/freetype2/src/base/ftutil.c:105:7
    #1 0x6b77eb in FNT_Load_Glyph /home/user/code/freetype2/src/winfonts/winfnt.c:1074:12
    #2 0x4e72a9 in FT_Load_Glyph /home/user/code/freetype2/src/base/ftobjs.c:742:15
    #3 0x4e3c4d in TestFace /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12
    #4 0x4e3c4d in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143
    #5 0x4e3c4d in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
    #6 0x7f139a540ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)
Whiteboard: gfx-noted
Still reproducible with freetype2 commit 125f2b63a503ecb1f78f86b4ebfb0303c0a46788(>2.6.5)
Not reproducible for me, alas.  Please post the actual fuzzer instance generated by ftrandom that triggers the error.
Flags: needinfo?(twsmith)
Attached file test_case.ttf (obsolete) — 
Sorry here is an updated test case. I will also post the fuzzer.
Attached file test_case.ttf 

        Attachment #8751541 -
        Attachment is obsolete: true

        Attachment #8780692 -
        Attachment is obsolete: true

    
    

    
  
Marking as s-s since I am attaching the fuzzer. FWIW most of the code in it is public.
Group: gfx-core-security
Keywords: sec-other

    
    

    
  

      
      
      
      

        Attached file
          
        ftrandom.c
      

    


  
Most of the code here I repurposed from ftfuzzer. Any suggestions for increased API coverage and/or speed would be great.
Flags: needinfo?(twsmith)

    
    

    
  
Fixed now in git.  Thanks for the report!

    
    

    
  
Thanks! Verified fixed with freetype2 revision 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: