Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information. Update documentation to reference seeds directory. Jan 19, 2018
oom-9d24534a23b3ce397f21f62fb23ba9c5e9213107 first real commit Oct 7, 2016

Finds a multi-byte-write-heap-buffer-overflow bug in Woff2

Time to find: < 20 minutes, requires the seed corpus (downloaded as seeds dir). Reproducer provided.

ERROR: AddressSanitizer: heap-buffer-overflow
WRITE of size 6707 at 0x62300000534d thread T0
    #0 0x4a95d3 in __asan_memcpy
    #1 0x62fa5c in woff2::Buffer::Read(unsigned char*, unsigned long) src/./buffer.h:86:7
    #2 0x62fa5c in woff2::(anonymous namespace)::ReconstructGlyf src/
    #3 0x62fa5c in woff2::(anonymous namespace)::ReconstructFont src/
    #4 0x62fa5c in woff2::ConvertWOFF2ToTTF src/

Also hits OOMs. Time to find < 1 minute, with an empty corpus. Reproducer provided.

==30135== ERROR: libFuzzer: out-of-memory (used: 2349Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

   Live Heap Allocations: 3749936468 bytes from 2254 allocations; showing top 95%
   3747609600 byte(s) (99%) in 1 allocation(s)
   #6 0x62e8f6 in woff2::ConvertWOFF2ToTTF src/
   #7 0x660731 in LLVMFuzzerTestOneInput FTS/woff2-2016-05-06/
You can’t perform that action at this time.