# fontforge -lang=ff -c 'Open($1)' ./poc/readcfftopdict-in-parsettf.c-negative-size-param.otf
Copyright (c) 2000-2014 by George Williams. See AUTHORS for Contributors.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE.
Based on sources from 09:14 UTC 13-Jun-2017-D.
Based on source from git with hash: b8e5ff8f24955f4d7d59ac73c903cc088b21bdb6
Warning: Mac and Windows entries in the 'name' table differ for the
SubFamily string in the language English (US)
Mac String: Medium
Windows String: Regular
Warning: Mac and Windows entries in the 'name' table differ for the
Fullname string in the language English (US)
Mac String: CFF_Type-1_0x0d_expl Medium
Windows String: CFF_Type-1_0x0d_expl
FontForge does not support type2 multiple master fonts
=================================================================
==21354==ERROR: AddressSanitizer: negative-size-param: (size=-24)
#0 0x7f60178789a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)#1 0x5284b5 in readcfftopdict /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3121#2 0x52ae2a in readcfftopdicts /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3323#3 0x532df4 in readcffglyphs /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3934#4 0x54687c in readttf /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:5527#5 0x552652 in _SFReadTTF /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:6266#6 0x7e8756 in _ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1114#7 0x7ea217 in ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1285#8 0x7ea675 in LoadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1343#9 0x660df3 in bOpen /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:1854#10 0x6b967e in docall /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9352#11 0x6b9f99 in handlename /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9463#12 0x6be15f in term /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9707#13 0x6bf96f in mul /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9852#14 0x6bffcf in add /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9897#15 0x6c0b1b in comp /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9972#16 0x6c1338 in _and /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10015#17 0x6c1871 in _or /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10046#18 0x6c1e41 in assign /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10078#19 0x6c2ff9 in expr /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10156#20 0x6c4ab3 in ff_statement /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10365#21 0x6c5b4f in ProcessNativeScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10513#22 0x6c6536 in _CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10605#23 0x6c675b in CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10642#24 0x41fa8f in fontforge_main /root/afl_fuzz/project/test/fontforge/fontforgeexe/startnoui.c:113#25 0x41f705 in main /root/afl_fuzz/project/test/fontforge/fontforgeexe/main.c:39#26 0x7f601489682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#27 0x41f618 in _start (/root/afl_fuzz/project/test/fontforge/fontforgeexe/fontforge+0x41f618)
Address 0x7ffd780cc578 is located in stack of thread T0 at offset 168 in frame
#0 0x526998 in readcfftopdict /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2999
This frame has 3 object(s):
[32, 36) 'ival'
[96, 100) 'oval'
[160, 560) 'stack'<== Memory access at offset 168 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==21354==ABORTING
Testcase:
https://github.com/gnehsoah/poc/blob/master/fontforge/readcfftopdict-in-parsettf.c-negative-size-param.otf
The text was updated successfully, but these errors were encountered: