Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
# fontforge -lang=ff -c 'Open($1)' ./poc/addnibble-in-parsettf.c-stack-buffer-overflow.otf ================================================================= ==21282==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee637ea32 at pc 0x00000052540e bp 0x7ffee637e970 sp 0x7ffee637e960 WRITE of size 1 at 0x7ffee637ea32 thread T0 #0 0x52540d in addnibble /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2779 #1 0x52561f in readcffthing /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2800 #2 0x527161 in readcfftopdict /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3024 #3 0x52ae2a in readcfftopdicts /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3323 #4 0x532df4 in readcffglyphs /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3934 #5 0x54687c in readttf /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:5527 #6 0x552652 in _SFReadTTF /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:6266 #7 0x7e8756 in _ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1114 #8 0x7ea217 in ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1285 #9 0x7ea675 in LoadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1343 #10 0x660df3 in bOpen /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:1854 #11 0x6b967e in docall /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9352 #12 0x6b9f99 in handlename /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9463 #13 0x6be15f in term /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9707 #14 0x6bf96f in mul /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9852 #15 0x6bffcf in add /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9897 #16 0x6c0b1b in comp /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9972 #17 0x6c1338 in _and /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10015 #18 0x6c1871 in _or /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10046 #19 0x6c1e41 in assign /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10078 #20 0x6c2ff9 in expr /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10156 #21 0x6c4ab3 in ff_statement /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10365 #22 0x6c5b4f in ProcessNativeScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10513 #23 0x6c6536 in _CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10605 #24 0x6c675b in CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10642 #25 0x41fa8f in fontforge_main /root/afl_fuzz/project/test/fontforge/fontforgeexe/startnoui.c:113 #26 0x41f705 in main /root/afl_fuzz/project/test/fontforge/fontforgeexe/main.c:39 #27 0x7f8da1daa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #28 0x41f618 in _start (/root/afl_fuzz/project/test/fontforge/fontforgeexe/fontforge+0x41f618) Address 0x7ffee637ea32 is located in stack of thread T0 at offset 82 in frame #0 0x525426 in readcffthing /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2783 This frame has 1 object(s): [32, 82) 'buffer' <== Memory access at offset 82 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2779 addnibble Shadow bytes around the buggy address: 0x10005cc67cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005cc67d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005cc67d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005cc67d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005cc67d30: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x10005cc67d40: 00 00 00 00 00 00[02]f4 f3 f3 f3 f3 00 00 00 00 0x10005cc67d50: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10005cc67d60: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 0x10005cc67d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005cc67d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10005cc67d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==21282==ABORTING
Testcase: https://github.com/gnehsoah/poc/blob/master/fontforge/addnibble-in-parsettf.c-stack-buffer-overflow.otf
The text was updated successfully, but these errors were encountered:
parsettf.c: Fix buffer overflow condition when reading CFF top dictio…
e5dc15e
…nary Closes #3087
5a0c652
b42a57c
…nary Closes fontforge#3087
No branches or pull requests
Testcase:
https://github.com/gnehsoah/poc/blob/master/fontforge/addnibble-in-parsettf.c-stack-buffer-overflow.otf
The text was updated successfully, but these errors were encountered: