Skip to content

negative size param in readcfftopdict (parsettf.c) #3091

Closed
@fatal0

Description

@fatal0
# fontforge -lang=ff -c 'Open($1)' ./poc/readcfftopdict-in-parsettf.c-negative-size-param.otf 
Copyright (c) 2000-2014 by George Williams. See AUTHORS for Contributors.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 with many parts BSD <http://fontforge.org/license.html>. Please read LICENSE.
 Based on sources from 09:14 UTC 13-Jun-2017-D.
 Based on source from git with hash: b8e5ff8f24955f4d7d59ac73c903cc088b21bdb6
Warning: Mac and Windows entries in the 'name' table differ for the
 SubFamily string in the language English (US)
 Mac String: Medium
Windows String: Regular
Warning: Mac and Windows entries in the 'name' table differ for the
 Fullname string in the language English (US)
 Mac String: CFF_Type-1_0x0d_expl Medium
Windows String: CFF_Type-1_0x0d_expl
FontForge does not support type2 multiple master fonts
=================================================================
==21354==ERROR: AddressSanitizer: negative-size-param: (size=-24)
    #0 0x7f60178789a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x5284b5 in readcfftopdict /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3121
    #2 0x52ae2a in readcfftopdicts /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3323
    #3 0x532df4 in readcffglyphs /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:3934
    #4 0x54687c in readttf /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:5527
    #5 0x552652 in _SFReadTTF /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:6266
    #6 0x7e8756 in _ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1114
    #7 0x7ea217 in ReadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1285
    #8 0x7ea675 in LoadSplineFont /root/afl_fuzz/project/test/fontforge/fontforge/splinefont.c:1343
    #9 0x660df3 in bOpen /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:1854
    #10 0x6b967e in docall /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9352
    #11 0x6b9f99 in handlename /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9463
    #12 0x6be15f in term /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9707
    #13 0x6bf96f in mul /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9852
    #14 0x6bffcf in add /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9897
    #15 0x6c0b1b in comp /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:9972
    #16 0x6c1338 in _and /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10015
    #17 0x6c1871 in _or /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10046
    #18 0x6c1e41 in assign /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10078
    #19 0x6c2ff9 in expr /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10156
    #20 0x6c4ab3 in ff_statement /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10365
    #21 0x6c5b4f in ProcessNativeScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10513
    #22 0x6c6536 in _CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10605
    #23 0x6c675b in CheckIsScript /root/afl_fuzz/project/test/fontforge/fontforge/scripting.c:10642
    #24 0x41fa8f in fontforge_main /root/afl_fuzz/project/test/fontforge/fontforgeexe/startnoui.c:113
    #25 0x41f705 in main /root/afl_fuzz/project/test/fontforge/fontforgeexe/main.c:39
    #26 0x7f601489682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #27 0x41f618 in _start (/root/afl_fuzz/project/test/fontforge/fontforgeexe/fontforge+0x41f618)

Address 0x7ffd780cc578 is located in stack of thread T0 at offset 168 in frame
    #0 0x526998 in readcfftopdict /root/afl_fuzz/project/test/fontforge/fontforge/parsettf.c:2999

  This frame has 3 object(s):
    [32, 36) 'ival'
    [96, 100) 'oval'
    [160, 560) 'stack' <== Memory access at offset 168 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==21354==ABORTING

Testcase:
https://github.com/gnehsoah/poc/blob/master/fontforge/readcfftopdict-in-parsettf.c-negative-size-param.otf

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions