Closed
Description
# fontforge -lang=ff -c 'Open($1)' ./poc/addnibble-in-parsettf.c-stack-buffer-overflow.otf
=================================================================
==21282==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee637ea32 at pc 0x00000052540e bp 0x7ffee637e970 sp 0x7ffee637e960
WRITE of size 1 at 0x7ffee637ea32 thread T0
#0 0x52540d in addnibble /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2779
#1 0x52561f in readcffthing /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2800
#2 0x527161 in readcfftopdict /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3024
#3 0x52ae2a in readcfftopdicts /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3323
#4 0x532df4 in readcffglyphs /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3934
#5 0x54687c in readttf /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:5527
#6 0x552652 in _SFReadTTF /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:6266
#7 0x7e8756 in _ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1114
#8 0x7ea217 in ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1285
#9 0x7ea675 in LoadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1343
#10 0x660df3 in bOpen /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:1854
#11 0x6b967e in docall /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9352
#12 0x6b9f99 in handlename /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9463
#13 0x6be15f in term /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9707
#14 0x6bf96f in mul /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9852
#15 0x6bffcf in add /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9897
#16 0x6c0b1b in comp /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9972
#17 0x6c1338 in _and /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10015
#18 0x6c1871 in _or /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10046
#19 0x6c1e41 in assign /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10078
#20 0x6c2ff9 in expr /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10156
#21 0x6c4ab3 in ff_statement /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10365
#22 0x6c5b4f in ProcessNativeScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10513
#23 0x6c6536 in _CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10605
#24 0x6c675b in CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10642
#25 0x41fa8f in fontforge_main /root/afl_fuzz/project/test/fontforge/fontforgeexe/startnoui.c:113
#26 0x41f705 in main /root/afl_fuzz/project/test/fontforge/fontforgeexe/main.c:39
#27 0x7f8da1daa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#28 0x41f618 in _start (/root/afl_fuzz/project/test/fontforge/fontforgeexe/fontforge+0x41f618)
Address 0x7ffee637ea32 is located in stack of thread T0 at offset 82 in frame
#0 0x525426 in readcffthing /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2783
This frame has 1 object(s):
[32, 82) 'buffer' <== Memory access at offset 82 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2779 addnibble
Shadow bytes around the buggy address:
0x10005cc67cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc67d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc67d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc67d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc67d30: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10005cc67d40: 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00 00 00
0x10005cc67d50: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10005cc67d60: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
0x10005cc67d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc67d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc67d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21282==ABORTINGMetadata
Metadata
Assignees
Labels
No labels