Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/image/font/sfnt: Parse panics on invalid TTF input #48006

Closed
antong opened this issue Aug 27, 2021 · 4 comments
Closed

x/image/font/sfnt: Parse panics on invalid TTF input #48006

antong opened this issue Aug 27, 2021 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@antong
Copy link
Contributor

antong commented Aug 27, 2021

What version of Go are you using (go version)?

1.17

Does this issue reproduce with the latest release?

1.17 is the latest release at the moment

What operating system and processor architecture are you using (go env)?

Playground and also amd64/windows.

What did you do?

https://play.golang.org/p/Bs1KSzb7tpB

package main

import "golang.org/x/image/font/sfnt"

func main() {
	sfnt.Parse(src)
}

// This is a minimized version (x glyph only) of a fuzzed goregular.ttf.
var src = []byte{ /* see https://play.golang.org/p/Bs1KSzb7tpB */ }

What did you expect to see?

No output, no panic.

What did you see instead?

panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
golang.org/x/image/font/sfnt.u16(...)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/sfnt.go:200
golang.org/x/image/font/sfnt.(*glyfIter).nextPoint(0x38)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/truetype.go:554 +0x21f
golang.org/x/image/font/sfnt.(*glyfIter).nextSegment(0xc000093b80)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/truetype.go:446 +0x36
golang.org/x/image/font/sfnt.loadGlyf(0xc0000c4000, 0xc0000c4000, 0x7f30, 0x7f09, 0x0)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/truetype.go:161 +0x3ab
golang.org/x/image/font/sfnt.(*Font).LoadGlyph(0xc0000c0000, 0x7f0976897ea8, 0x1, 0x800, 0x600)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/sfnt.go:1434 +0x1c5
golang.org/x/image/font/sfnt.(*Font).glyphTopOS2(0xc0000c0000, 0x4, 0x10c4, 0x0)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/sfnt.go:1190 +0xb3
golang.org/x/image/font/sfnt.(*Font).initOS2Version1(0xc0000c0000)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/sfnt.go:1210 +0x4e
golang.org/x/image/font/sfnt.(*Font).initialize(0xc0000c0000, 0xc000093f70, 0x79)
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/sfnt.go:748 +0x565
golang.org/x/image/font/sfnt.Parse({0x545f40, 0x1294, 0x1294})
	/tmp/gopath1344140631/pkg/mod/golang.org/x/image@v0.0.0-20210628002857-a66eb6448b8d/font/sfnt/sfnt.go:543 +0x73
main.main()
	/tmp/sandbox2934683727/prog.go:6 +0x2e

Program exited: status 2.

I found this when playing with the fuzzing beta.

@gopherbot gopherbot added this to the Unreleased milestone Aug 27, 2021
@antong
Copy link
Contributor Author

antong commented Aug 27, 2021

cc owner @nigeltao

@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 27, 2021
@antong
Copy link
Contributor Author

antong commented Oct 15, 2021

I'd guess it is uncommon to parse untrusted fonts, or this could be a security issue.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/358994 mentions this issue: font/sfnt: verify the total number of contour points

@nigeltao
Copy link
Contributor

Thanks for the bug report and repro. Sorry for the slow reply. Some COVID stuff has impacted my working hours in recent months.

This could indeed be a security issue, but I also suspect that it's uncommon to parse untrusted fonts.

@golang golang locked and limited conversation to collaborators Oct 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants