Open Bug 1459756 Opened 6 years ago Updated 2 years ago

graphite2: crash near null in [@ graphite2::Segment::collisionInfo]

Categories

(Core :: Graphics: Text, defect, P3)

defect

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

5.32 KB, application/x-font-ttf
Details
Attached file testcase.fuzz
Found with graphite commit edeb6b92d93aca07df457d81a1d728a799a54350

==9992==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000575318 bp 0x7ffff7779030 sp 0x7ffff7778ea0 T0)
==9992==The signal is caused by a READ memory access.
==9992==Hint: address points to the zero page.
    #0 0x575317 in graphite2::Slot::index() const src/inc/Slot.h:79:35
    #1 0x575317 in graphite2::Segment::collisionInfo(graphite2::Slot const*) const src/inc/Segment.h:152
    #2 0x575317 in graphite2::Pass::collisionShift(graphite2::Segment*, int, graphite2::json*) const src/Pass.cpp:806
    #3 0x572c60 in graphite2::Pass::runGraphite(graphite2::vm::Machine&, graphite2::FiniteStateMachine&, bool) const src/Pass.cpp:444:14
    #4 0x53e899 in graphite2::Silf::runGraphite(graphite2::Segment*, unsigned char, unsigned char, int) const src/Silf.cpp:431:33
    #5 0x52a650 in graphite2::Segment::justify(graphite2::Slot*, graphite2::Font const*, float, graphite2::justFlags, graphite2::Slot*, graphite2::Slot*) src/Justifier.cpp:208:17
    #6 0x5112c5 in LLVMFuzzerTestOneInput tests/fuzz-tests/gr-fuzzer-segment.cpp:113:9
    #7 0x511a24 in main tests/fuzz-tests/gr-fuzzer-segment.cpp:143:7
    #8 0x7f9856a8782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x41a3e8 in _start (gr-fuzzer-segment+0x41a3e8)
`gr2fonttest -auto -noprint testcase.ttf` results in a failure to load the font due to it being an invalid font. Not sure how you got past that.
Flags: needinfo?(twsmith)
Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1459753#c2
Flags: needinfo?(twsmith)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.