Closed
Bug 1295371
Opened 8 years ago
Closed 8 years ago
freetype2: left shift of negative value in [@tt_sbit_decoder_load_bit_aligned]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
48.00 KB,
application/x-font-ttf
|
Details |
Found while fuzzing freetype2 commit 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
I'm not sure if this affects the browser or if we are protected by OTS. I'm also not sure how far this bug goes back.
src/sfnt/ttsbit.c:867:39: runtime error: left shift of negative value -4081
#0 0x7fe197e03163 in tt_sbit_decoder_load_bit_aligned src/sfnt/ttsbit.c:877:29
#1 0x7fe197dfde04 in tt_sbit_decoder_load_bitmap src/sfnt/ttsbit.c:1162:15
#2 0x7fe197dfde04 in tt_sbit_decoder_load_image src/sfnt/ttsbit.c:1357
#3 0x7fe197e0392b in tt_sbit_decoder_load_compound src/sfnt/ttsbit.c:949:15
#4 0x7fe197dfde04 in tt_sbit_decoder_load_bitmap src/sfnt/ttsbit.c:1162:15
#5 0x7fe197dfde04 in tt_sbit_decoder_load_image src/sfnt/ttsbit.c:1357
#6 0x7fe197dec52a in tt_face_load_sbit_image src/sfnt/ttsbit.c:1523:19
#7 0x7fe197bd08e4 in load_sbit_image src/truetype/ttgload.c:2189:13
#8 0x7fe197bd08e4 in TT_Load_Glyph src/truetype/ttgload.c:2608
#9 0x7fe197bd08e4 in tt_glyph_load src/truetype/ttdriver.c:424
#10 0x7fe197b2233e in FT_Load_Glyph src/base/ftobjs.c:742:15
#11 0x4ea5aa in TestFace src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12
#12 0x4ea5aa in ExecuteTest src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143
#13 0x4ea5aa in main src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
#14 0x7fe196be982f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#15 0x418a78 in _start (/home/user/workspace/freetype2/ftrandom+0x418a78)
|
||
Updated•8 years ago
|
Whiteboard: [gfx-noted]
|
||
Comment 1•8 years ago
|
||
Sorry, can't repeat. Please provide the failing `test_case.ttf` instance.
Flags: needinfo?(twsmith)
|
Reporter | |
Comment 2•8 years ago
|
||
I can repro with the attached test_case.ttf with the latest revision from git. FWIW I am using the same ftrandom.c file as bug 1272173.
I am using the using the following build args:
CC=clang CFLAGS="-fsanitize=undefined -fno-sanitize-recover=undefined -g -O2" LDFLAGS=-fsanitize=undefined
I hope this helps, if not I can try finding a different test case.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 3•8 years ago
|
||
Logged as: https://savannah.nongnu.org/bugs/?48980
|
|
Reporter | |
Comment 4•8 years ago
|
||
Fixed in FreeType 2.7
You need to log in
before you can comment on or make changes to this bug.
Description
•