Open Bug 1459753 Opened 6 years ago Updated 1 year ago

graphite2: crash near null in [@ graphite2::Segment::justify]

Categories

(Core :: Graphics: Text, defect, P3)

defect

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

5.99 KB, application/x-font-ttf
Details
Attached file testcase.fuzz
Found with graphite commit edeb6b92d93aca07df457d81a1d728a799a54350

==9986==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000012 (pc 0x000000528306 bp 0x7ffd0db256b0 sp 0x7ffd0db25560 T0)
==9986==The signal is caused by a READ memory access.
==9986==Hint: address points to the zero page.
    #0 0x528305 in graphite2::Slot::glyph() const src/inc/Slot.h:88:35
    #1 0x528305 in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) src/Justifier.cpp:89
    #2 0x5112c5 in LLVMFuzzerTestOneInput tests/fuzz-tests/gr-fuzzer-segment.cpp:113:9
    #3 0x511a24 in main tests/fuzz-tests/gr-fuzzer-segment.cpp:143:7
    #4 0x7f0018a4d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41a3e8 in _start (gr-fuzzer-segment+0x41a3e8)
gr2fonttest reports this as an invalid font. How might I test this?
Flags: needinfo?(twsmith)
This was found using Tim's new fuzzing harness[1]. Maybe he has a simple way to repro but AFAIK it's still in development. My intention was to help get a jump on some of the bugs before we start running on oss-fuzz. Also passing -demand to gr2fonttest avoids the invalid font warning but the crash is not triggered.

[1] https://github.com/silnrsi/graphite/blob/master/tests/fuzz-tests/gr-fuzzer-segment.cpp
Flags: needinfo?(twsmith) → needinfo?(tim_eves)
On the realisation that the justifier is not ready for prime time, and because nobody is using it, for the upcoming release we have removed it from the fuzz tester. That'll fix the problem pretty sharpish! We will return to it in due course.

Fixed in 7a37a6b6188c9eacc9b01a91076b195d533a45de
(In reply to Tyson Smith [:tsmith] (away Aug 2 - 13) from comment #2)
> This was found using Tim's new fuzzing harness[1]. Maybe he has a simple way
> to repro but AFAIK it's still in development.

Just passing the failing testcase to the fuzzer is enough to reproduce it, e.g.
./gr-fuzzer-segment testcase.fuzz 
When invoked in any other way it runs as a fuzzer.
Flags: needinfo?(tim_eves)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.