Closed Bug 1294575 Opened 8 years ago Closed 8 years ago

freetype2: heap-buffer-overflow read [@Ins_FLIPPT]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox51 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds, testcase)

Attachments

(2 files)

Attached file log.txt
This was found while fuzzing freetype revision: dce554b1bd7fb78b5ee7a80f1726b8641d7cd677 (>2.6.5) ==10566==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001c7f8 at pc 0x7f87d75ab6d4 bp 0x7ffcd94c62b0 sp 0x7ffcd94c62a8 READ of size 8 at 0x63300001c7f8 thread T0 #0 0x7f87d75ab6d3 in Ins_FLIPPT /home/user/code/freetype2/src/truetype/ttinterp.c:5197:26 #1 0x7f87d75ab6d3 in TT_RunIns /home/user/code/freetype2/src/truetype/ttinterp.c:8143 #2 0x7f87d75d2dea in tt_size_run_fpgm /home/user/code/freetype2/src/truetype/ttobjs.c:829:15 #3 0x7f87d75d2dea in tt_size_init_bytecode /home/user/code/freetype2/src/truetype/ttobjs.c:1066 #4 0x7f87d75d2dea in tt_size_ready_bytecode /home/user/code/freetype2/src/truetype/ttobjs.c:1085 #5 0x7f87d75d2dea in tt_loader_init /home/user/code/freetype2/src/truetype/ttgload.c:2288 #6 0x7f87d757eb76 in TT_Load_Glyph /home/user/code/freetype2/src/truetype/ttgload.c:2645:13 #7 0x7f87d757eb76 in tt_glyph_load /home/user/code/freetype2/src/truetype/ttdriver.c:424 #8 0x7f87d74d03de in FT_Load_Glyph /home/user/code/freetype2/src/base/ftobjs.c:742:15 #9 0x4ea5ca in TestFace /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12 #10 0x4ea5ca in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143 #11 0x4ea5ca in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166 #12 0x7f87d659882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #13 0x418a98 in _start (/home/user/workspace/freetype2/ftrandom+0x418a98)
Attached file test_case.ttf
Thanks for the report. Should be already fixed with the next commit after the one you have been testing. Please test.
Thanks. Looks good now. I test with freetype revision 125f2b63a503ecb1f78f86b4ebfb0303c0a46788.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: