# fontforge -lang=ff -c 'Open($1)' ./poc/readcffset-in-parsettf.c-heap-buffer-overflow.otf
Copyright (c) 2000-2014 by George Williams. See AUTHORS for Contributors.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE.
Based on sources from 09:14 UTC 13-Jun-2017-D.
Based on source from git with hash: b8e5ff8f24955f4d7d59ac73c903cc088b21bdb6
Warning: Mac and Windows entries in the 'name' table differ for the
SubFamily string in the language English (US)
Mac String: Medium
Windows String: Regular
Warning: Mac and Windows entries in the 'name' table differ for the
Fullname string in the language English (US)
Mac String: CFF_Type-1_0x0d_expl Medium
Windows String: CFF_Type-1_0x0d_expl
Bad subroutine INDEX in cff font.
=================================================================
==21340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000e380 at pc 0x00000052d800 bp 0x7ffc0cc589a0 sp 0x7ffc0cc58990
WRITE of size 2 at 0x61500000e380 thread T0
#0 0x52d7ff in readcffset /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3523#1 0x53319d in readcffglyphs /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3946#2 0x54687c in readttf /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:5527#3 0x552652 in _SFReadTTF /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:6266#4 0x7e8756 in _ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1114#5 0x7ea217 in ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1285#6 0x7ea675 in LoadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1343#7 0x660df3 in bOpen /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:1854#8 0x6b967e in docall /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9352#9 0x6b9f99 in handlename /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9463#10 0x6be15f in term /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9707#11 0x6bf96f in mul /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9852#12 0x6bffcf in add /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9897#13 0x6c0b1b in comp /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9972#14 0x6c1338 in _and /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10015#15 0x6c1871 in _or /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10046#16 0x6c1e41 in assign /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10078#17 0x6c2ff9 in expr /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10156#18 0x6c4ab3 in ff_statement /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10365#19 0x6c5b4f in ProcessNativeScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10513#20 0x6c6536 in _CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10605#21 0x6c675b in CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10642#22 0x41fa8f in fontforge_main /root/afl_fuzz/project/test/fontforge/fontforgeexe/startnoui.c:113#23 0x41f705 in main /root/afl_fuzz/project/test/fontforge/fontforgeexe/main.c:39#24 0x7fbfee4d682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#25 0x41f618 in _start (/root/afl_fuzz/project/test/fontforge/fontforgeexe/fontforge+0x41f618)
0x61500000e380 is located 0 bytes to the right of 512-byte region [0x61500000e180,0x61500000e380)
allocated by thread T0 here:
#0 0x7fbff14c4602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x52d4ec in readcffset /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3511#2 0x53319d in readcffglyphs /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3946#3 0x54687c in readttf /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:5527#4 0x552652 in _SFReadTTF /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:6266#5 0x7e8756 in _ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1114#6 0x7ea217 in ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1285#7 0x7ea675 in LoadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1343#8 0x660df3 in bOpen /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:1854#9 0x6b967e in docall /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9352#10 0x6b9f99 in handlename /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9463#11 0x6be15f in term /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9707#12 0x6bf96f in mul /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9852#13 0x6bffcf in add /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9897#14 0x6c0b1b in comp /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9972#15 0x6c1338 in _and /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10015#16 0x6c1871 in _or /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10046#17 0x6c1e41 in assign /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10078#18 0x6c2ff9 in expr /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10156#19 0x6c4ab3 in ff_statement /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10365#20 0x6c5b4f in ProcessNativeScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10513#21 0x6c6536 in _CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10605#22 0x6c675b in CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10642#23 0x41fa8f in fontforge_main /root/afl_fuzz/project/test/fontforge/fontforgeexe/startnoui.c:113#24 0x41f705 in main /root/afl_fuzz/project/test/fontforge/fontforgeexe/main.c:39#25 0x7fbfee4d682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3523 readcffset
Shadow bytes around the buggy address:
0x0c2a7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff9c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff9c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff9c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==21340==ABORTING
Testcase:
https://github.com/gnehsoah/poc/blob/master/fontforge/readcffset-in-parsettf.c-heap-buffer-overflow.otf
The text was updated successfully, but these errors were encountered: