Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in the dumpcffnames() function #4090

Closed
fcambus opened this issue Jan 6, 2020 · 0 comments
Closed

NULL pointer dereference in the dumpcffnames() function #4090

fcambus opened this issue Jan 6, 2020 · 0 comments

Comments

@fcambus
Copy link

@fcambus fcambus commented Jan 6, 2020

Hi,

While fuzzing FontForge with AFL, I found a NULL pointer dereference in the dumpcffnames() function, in tottf.c.

Attaching a reproducer (gzipped so GitHub accepts it): test06.sfd.gz

Issue can be reproduced in FontForge 20190801 and with latest Git master by running:

fontforge -lang ff -c 'Open("test06.sfd"); Generate("test06.otf")'
=================================================================
==14023==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5624395ba5 bp 0x7ffda6285000 sp 0x7ffda6284778 T0)
==14023==The signal is caused by a READ memory access.
==14023==Hint: address points to the zero page.
    #0 0x7f5624395ba4  (/lib/x86_64-linux-gnu/libc.so.6+0x18bba4)
    #1 0x7f5624f8b8fb  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x678fb)
    #2 0x7f56233f3a1b in dumpcffnames /home/fcambus/fontforge-20190801/fontforge/tottf.c:1795
    #3 0x7f56233ffb50 in dumptype2glyphs /home/fcambus/fontforge-20190801/fontforge/tottf.c:2634
    #4 0x7f562342907c in initTables /home/fcambus/fontforge-20190801/fontforge/tottf.c:5750
    #5 0x7f562342d475 in _WriteTTFFont /home/fcambus/fontforge-20190801/fontforge/tottf.c:6143
    #6 0x7f562342d611 in WriteTTFFont /home/fcambus/fontforge-20190801/fontforge/tottf.c:6171
    #7 0x7f5622fe00b4 in _DoSave /home/fcambus/fontforge-20190801/fontforge/savefont.c:845
    #8 0x7f5622fe2f7b in GenerateScript /home/fcambus/fontforge-20190801/fontforge/savefont.c:1269
    #9 0x7f5622ff99c4 in bGenerate /home/fcambus/fontforge-20190801/fontforge/scripting.c:2061
    #10 0x7f56230576bb in docall /home/fcambus/fontforge-20190801/fontforge/scripting.c:9632
    #11 0x7f562305855e in handlename /home/fcambus/fontforge-20190801/fontforge/scripting.c:9745
    #12 0x7f562305c8d0 in term /home/fcambus/fontforge-20190801/fontforge/scripting.c:9983
    #13 0x7f562305e1de in mul /home/fcambus/fontforge-20190801/fontforge/scripting.c:10128
    #14 0x7f562305eade in add /home/fcambus/fontforge-20190801/fontforge/scripting.c:10174
    #15 0x7f562305f9e7 in comp /home/fcambus/fontforge-20190801/fontforge/scripting.c:10249
    #16 0x7f562306044d in _and /home/fcambus/fontforge-20190801/fontforge/scripting.c:10293
    #17 0x7f5623060a79 in _or /home/fcambus/fontforge-20190801/fontforge/scripting.c:10325
    #18 0x7f5623061167 in assign /home/fcambus/fontforge-20190801/fontforge/scripting.c:10358
    #19 0x7f562306284f in expr /home/fcambus/fontforge-20190801/fontforge/scripting.c:10436
    #20 0x7f56230644de in ff_statement /home/fcambus/fontforge-20190801/fontforge/scripting.c:10649
    #21 0x7f5623065b92 in ProcessNativeScript /home/fcambus/fontforge-20190801/fontforge/scripting.c:10796
    #22 0x7f562306659f in _CheckIsScript /home/fcambus/fontforge-20190801/fontforge/scripting.c:10894
    #23 0x7f5623066881 in CheckIsScript /home/fcambus/fontforge-20190801/fontforge/scripting.c:10927
    #24 0x7f5624ba3be7 in fontforge_main /home/fcambus/fontforge-20190801/fontforgeexe/startui.c:1099
    #25 0x55e7ce3881ec in main /home/fcambus/fontforge-20190801/fontforgeexe/main.c:33
    #26 0x7f56242311e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #27 0x55e7ce38810d in _start (/home/fcambus/fontforge-20190801/fontforgeexe/.libs/fontforge+0x110d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18bba4) 
==14023==ABORTING
skef pushed a commit to skef/fontforge that referenced this issue Jan 6, 2020
…ta() function

Fix for fontforge#4086 NULL pointer dereference in the SFDGetSpiros() function
Fix for fontforge#4088 NULL pointer dereference in the SFD_AssignLookups() function
Add empty sf->fontname string if it isn't set, fixing fontforge#4089 fontforge#4090 and many
  other potential issues (many downstream calls to strlen() on the value).
@skef skef mentioned this issue Jan 6, 2020
ctrlcctrlv added a commit that referenced this issue Jan 6, 2020
…tion

Fix for #4086 NULL pointer dereference in the SFDGetSpiros() function
Fix for #4088 NULL pointer dereference in the SFD_AssignLookups() function
Add empty sf->fontname string if it isn't set, fixing #4089 #4090 and many
  other potential issues (many downstream calls to strlen() on the value).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.