Open
Bug 1274006
Opened 8 years ago
Updated 1 year ago
woff2: reference binding to null pointer in src/woff2_dec.cc:1250
Categories
(Core :: Graphics: Text, defect, P3)
Tracking
()
NEW
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: regressionwindow-wanted, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
7.19 KB,
application/octet-stream
|
Details |
Found while fuzzing woff2 commit 8f3ff26c376cca6a19bb1b819ff21309a2cf42d1 This was found using Undefined Behavior Sanitizer (UBSan) /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:771:16: runtime error: reference binding to null pointer of type 'unsigned char' #0 0x5442a9 in std::vector<unsigned char, std::allocator<unsigned char> >::operator[](unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:771:9 #1 0x5442a9 in woff2::(anonymous namespace)::WriteHeaders(unsigned char const*, unsigned long, woff2::(anonymous namespace)::RebuildMetadata*, woff2::(anonymous namespace)::WOFF2Header*, woff2::WOFF2Out*) /home/user/code/woff2/src/woff2_dec.cc:1250 #2 0x5442a9 in woff2::ConvertWOFF2ToTTF(unsigned char const*, unsigned long, woff2::WOFF2Out*) /home/user/code/woff2/src/woff2_dec.cc:1284 #3 0x5c60e8 in fuzz(char*) /home/user/code/woff2/src/woff2_decompress.cc:36:19 #4 0x5c6bd2 in main /home/user/code/woff2/src/woff2_decompress.cc:52:10 #5 0x7f1844074ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287 #6 0x438ce5 in _start (/home/user/Desktop/woff2/woff2_decompress_ub+0x438ce5)
Whiteboard: [gfx-noted]
Updated•8 years ago
|
Keywords: regressionwindow-wanted
Updated•7 years ago
|
Priority: -- → P3
Updated•7 years ago
|
Has Regression Range: --- → irrelevant
status-firefox49:
affected → ---
Reporter | ||
Comment 2•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #1) > Was this ever reported upstream? Nope. I plan to revisit woff2 soon and I will report this with an updated test case.
Flags: needinfo?(twsmith)
Updated•1 year ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•