Closed Bug 1294575 Opened 8 years ago Closed 8 years ago

freetype2: heap-buffer-overflow read [@Ins_FLIPPT]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox51 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds, testcase)

Attachments

(2 files)

Attached file log.txt
This was found while fuzzing freetype revision: dce554b1bd7fb78b5ee7a80f1726b8641d7cd677 (>2.6.5)

==10566==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001c7f8 at pc 0x7f87d75ab6d4 bp 0x7ffcd94c62b0 sp 0x7ffcd94c62a8
READ of size 8 at 0x63300001c7f8 thread T0
    #0 0x7f87d75ab6d3 in Ins_FLIPPT /home/user/code/freetype2/src/truetype/ttinterp.c:5197:26
    #1 0x7f87d75ab6d3 in TT_RunIns /home/user/code/freetype2/src/truetype/ttinterp.c:8143
    #2 0x7f87d75d2dea in tt_size_run_fpgm /home/user/code/freetype2/src/truetype/ttobjs.c:829:15
    #3 0x7f87d75d2dea in tt_size_init_bytecode /home/user/code/freetype2/src/truetype/ttobjs.c:1066
    #4 0x7f87d75d2dea in tt_size_ready_bytecode /home/user/code/freetype2/src/truetype/ttobjs.c:1085
    #5 0x7f87d75d2dea in tt_loader_init /home/user/code/freetype2/src/truetype/ttgload.c:2288
    #6 0x7f87d757eb76 in TT_Load_Glyph /home/user/code/freetype2/src/truetype/ttgload.c:2645:13
    #7 0x7f87d757eb76 in tt_glyph_load /home/user/code/freetype2/src/truetype/ttdriver.c:424
    #8 0x7f87d74d03de in FT_Load_Glyph /home/user/code/freetype2/src/base/ftobjs.c:742:15
    #9 0x4ea5ca in TestFace /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12
    #10 0x4ea5ca in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143
    #11 0x4ea5ca in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
    #12 0x7f87d659882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #13 0x418a98 in _start (/home/user/workspace/freetype2/ftrandom+0x418a98)
Attached file test_case.ttf
Thanks for the report.  Should be already fixed with the next commit after the one you have been testing.  Please test.
Thanks. Looks good now. I test with freetype revision 125f2b63a503ecb1f78f86b4ebfb0303c0a46788.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.