TrueType and OpenType font fuzzing toolset
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
images Initial commit Aug 14, 2018
truetype-generator Initial commit Aug 14, 2018
ttf-otf-mutator Initial commit Aug 14, 2018
ttf-otf-windows-loader Initial commit Aug 14, 2018 Initial commit Aug 14, 2018
LICENSE Initial commit Aug 14, 2018 Fix dash formatting Aug 14, 2018


BrokenType is a set of tools designed to test the robustness and security of font rasterization software, especially codebases prone to memory corruption issues (written in C/C++ and similar languages). It consists of three components:

The description and usage instructions of the utilities can be found in their corresponding READMEs.

The programs and scripts were successfully used in 2015-2017 to discover and report 20 vulnerabilities in the font rasterization code present in the Windows kernel (win32k.sys and atmfd.dll drivers), and further 19 security flaws in the user-mode Microsoft Uniscribe library. The fuzzing efforts were discussed in the following Google Project Zero blog posts:

and the "Reverse engineering and exploiting font rasterizers" talk given in September 2015 at the 44CON conference in London. The two most notable issues found by the tool were CVE-2015-2426 and CVE-2015-2455 - an OTF bug collision with an exploit found in the Hacking Team leak, and a TTF bug collision with KeenTeam's exploit for pwn2own 2015.


This is not an official Google product.