Closed
Bug 1295383
Opened 8 years ago
Closed 7 years ago
freetype2: signed integer overflow in [@cf2_doStems]
Categories
(Core :: Graphics: Text, defect, P3)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
268 bytes,
application/x-font-ttf
|
Details |
Found while fuzzing freetype2 commit 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
This is the most frequently hit issue at the moment. I'm not sure if this affects the browser or if we are protected by OTS.
src/cff/cf2intrp.c:313:20: runtime error: signed integer overflow: 91750400 + 2131098257 cannot be represented in type 'int'
#0 0x7fca7f05cfa1 in cf2_doStems src/cff/cf2intrp.c:311:20
#1 0x7fca7f051fb2 in cf2_interpT2CharString src/cff/cf2intrp.c:630:9
#2 0x7fca7f048b99 in cf2_getGlyphOutline src/cff/cf2font.c:472:7
#3 0x7fca7f04007d in cf2_decoder_parse_charstrings src/cff/cf2ft.c:395:16
#4 0x7fca7f036915 in cff_slot_load src/cff/cffgload.c:2971:17
#5 0x7fca7f02783b in cff_glyph_load src/cff/cffdrivr.c:177:13
#6 0x7fca7ee9833e in FT_Load_Glyph src/base/ftobjs.c:742:15
#7 0x4ea5aa in TestFace src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:105:12
#8 0x4ea5aa in ExecuteTest src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:143
#9 0x4ea5aa in main src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
#10 0x7fca7df5f82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x418a78 in _start (/home/user/workspace/freetype2/ftrandom+0x418a78)
|
||
Comment 1•8 years ago
|
||
I am not familiar with text. :jfkthame, should we do any fix for this?
Flags: needinfo?(jfkthame)
Whiteboard: [gfx-noted]
|
||
Comment 2•8 years ago
|
||
Offhand, it looks like the worst that would happen here is potentially incorrect glyph rendering. I don't think we need to do anything except take a freetype update if/when this gets addressed upstream.
In principle, signed integer overflow = undefined behavior (which should be avoided, as there's no knowing what might happen), but in practice I don't believe any of our current compilers will generate code that causes major problems here.
Flags: needinfo?(jfkthame)
|
||
Comment 3•8 years ago
|
||
This is similar to bug #1295383 – the error is harmless, and I won't add code to check this specially.
|
|
||
Comment 4•8 years ago
|
||
Oops, I meant bug #1295376
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
||
Comment 6•7 years ago
|
||
No. All (known) integer overflows should are now handled.
Flags: needinfo?(wl)
|
||
Comment 7•7 years ago
|
||
Thanks for the confirmation.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•