Closed
Bug 1295366
Opened 8 years ago
Closed 8 years ago
freetype2: shift exponent is too large in [@ft_lzwstate_get_code]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
1.24 KB,
application/x-font-ttf
|
Details |
Found while fuzzing freetype2 commit 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
I'm not sure if this affects the browser or if we are protected by OTS. I'm also not sure how far this bug goes back.
src/lzw/ftzopen.c:103:24: runtime error: shift exponent 34 is too large for 32-bit type 'unsigned int'
#0 0x7fd9111044d2 in ft_lzwstate_get_code src/lzw/ftzopen.c:103:24
#1 0x7fd911100c22 in ft_lzwstate_io src/lzw/ftzopen.c:314:13
#2 0x7fd9110fe5ef in ft_lzw_file_fill_output src/lzw/ftlzw.c:179:13
#3 0x7fd9110fe5ef in ft_lzw_file_io src/lzw/ftlzw.c:296
#4 0x7fd9110fe5ef in ft_lzw_stream_io src/lzw/ftlzw.c:342
#5 0x7fd910d5eff1 in FT_Stream_EnterFrame src/base/ftstream.c:273:20
#6 0x7fd910d64190 in FT_Stream_ReadFields src/base/ftstream.c:742:17
#7 0x7fd910f67492 in pcf_read_TOC src/pcf/pcfread.c:102:10
#8 0x7fd910f67492 in pcf_load_font src/pcf/pcfread.c:1200
#9 0x7fd910f61b3d in PCF_Face_Init src/pcf/pcfdrivr.c:335:15
#10 0x7fd910d28d1e in open_face src/base/ftobjs.c:1177:15
#11 0x7fd910d2536c in FT_Open_Face src/base/ftobjs.c:2192:19
#12 0x7fd910d2492c in FT_New_Face src/base/ftobjs.c:1240:12
#13 0x4ea358 in ExecuteTest src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:139:10
#14 0x4ea358 in main src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
#15 0x7fd90fdd182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#16 0x418a78 in _start (/home/user/workspace/freetype2/ftrandom+0x418a78)
|
||
Updated•8 years ago
|
Whiteboard: [gfx-noted]
|
||
Comment 1•8 years ago
|
||
AFAICT this shouldn't affect the browser because we don't support PCF fonts via @font-face.
|
||
Comment 2•8 years ago
|
||
Fixed in git. Note, however, that limiting `num_bits' to LZW_MAX_BITS is what I deduce from reading the code, not from knowing...
|
Reporter | |
Comment 3•8 years ago
|
||
Verified fixed in freetype2 revision 8521ad99b03c24040dbc0387966118ebc81f8933. Thanks!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•