Open Bug 1274006 Opened 8 years ago Updated 1 year ago

woff2: reference binding to null pointer in src/woff2_dec.cc:1250

Categories

(Core :: Graphics: Text, defect, P3)

49 Branch
defect

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: regressionwindow-wanted, testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

7.19 KB, application/octet-stream
Details
Attached file test_case.woff2
Found while fuzzing woff2 commit 8f3ff26c376cca6a19bb1b819ff21309a2cf42d1 

This was found using Undefined Behavior Sanitizer (UBSan)

/usr/bin/../lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:771:16: runtime error: reference binding to null pointer of type 'unsigned char'
    #0 0x5442a9 in std::vector<unsigned char, std::allocator<unsigned char> >::operator[](unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:771:9
    #1 0x5442a9 in woff2::(anonymous namespace)::WriteHeaders(unsigned char const*, unsigned long, woff2::(anonymous namespace)::RebuildMetadata*, woff2::(anonymous namespace)::WOFF2Header*, woff2::WOFF2Out*) /home/user/code/woff2/src/woff2_dec.cc:1250
    #2 0x5442a9 in woff2::ConvertWOFF2ToTTF(unsigned char const*, unsigned long, woff2::WOFF2Out*) /home/user/code/woff2/src/woff2_dec.cc:1284
    #3 0x5c60e8 in fuzz(char*) /home/user/code/woff2/src/woff2_decompress.cc:36:19
    #4 0x5c6bd2 in main /home/user/code/woff2/src/woff2_decompress.cc:52:10
    #5 0x7f1844074ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #6 0x438ce5 in _start (/home/user/Desktop/woff2/woff2_decompress_ub+0x438ce5)
Was this ever reported upstream?
Flags: needinfo?(twsmith)
Has Regression Range: --- → irrelevant
(In reply to Ryan VanderMeulen [:RyanVM] from comment #1)
> Was this ever reported upstream?

Nope. I plan to revisit woff2 soon and I will report this with an updated test case.
Flags: needinfo?(twsmith)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.