Closed Bug 1295383 Opened 8 years ago Closed 7 years ago

freetype2: signed integer overflow in [@cf2_doStems]

Categories

(Core :: Graphics: Text, defect, P3)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [gfx-noted])

Attachments

(1 file)

Attached file test_case.ttf
Found while fuzzing freetype2 commit 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)

This is the most frequently hit issue at the moment. I'm not sure if this affects the browser or if we are protected by OTS.

src/cff/cf2intrp.c:313:20: runtime error: signed integer overflow: 91750400 + 2131098257 cannot be represented in type 'int'
    #0 0x7fca7f05cfa1 in cf2_doStems src/cff/cf2intrp.c:311:20
    #1 0x7fca7f051fb2 in cf2_interpT2CharString src/cff/cf2intrp.c:630:9
    #2 0x7fca7f048b99 in cf2_getGlyphOutline src/cff/cf2font.c:472:7
    #3 0x7fca7f04007d in cf2_decoder_parse_charstrings src/cff/cf2ft.c:395:16
    #4 0x7fca7f036915 in cff_slot_load src/cff/cffgload.c:2971:17
    #5 0x7fca7f02783b in cff_glyph_load src/cff/cffdrivr.c:177:13
    #6 0x7fca7ee9833e in FT_Load_Glyph src/base/ftobjs.c:742:15
    #7 0x4ea5aa in TestFace src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12
    #8 0x4ea5aa in ExecuteTest src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143
    #9 0x4ea5aa in main src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
    #10 0x7fca7df5f82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x418a78 in _start (/home/user/workspace/freetype2/ftrandom+0x418a78)
I am not familiar with text. :jfkthame, should we do any fix for this?
Flags: needinfo?(jfkthame)
Whiteboard: [gfx-noted]
Offhand, it looks like the worst that would happen here is potentially incorrect glyph rendering. I don't think we need to do anything except take a freetype update if/when this gets addressed upstream.

In principle, signed integer overflow = undefined behavior (which should be avoided, as there's no knowing what might happen), but in practice I don't believe any of our current compilers will generate code that causes major problems here.
Flags: needinfo?(jfkthame)
This is similar to bug #1295383 – the error is harmless, and I won't add code to check this specially.
Oops, I meant bug #1295376
Is this still an issue with 2.8.1?
Flags: needinfo?(wl)
No. All (known) integer overflows should are now handled.
Flags: needinfo?(wl)
Thanks for the confirmation.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: