Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
assertion failure in stbtt__buf_seek can be triggered by user supplied font file.
stbtt__buf_seek
poc: poc.zip
result:
gdb-peda$ bt #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff6e43801 in __GI_abort () at abort.c:79 #2 0x00007ffff6e3339a in __assert_fail_base (fmt=0x7ffff6fba7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5060e0 <.str> "!(o > b->size || o < 0)", file=file@entry=0x505b40 <.str> "./SRC/stb_truetype.h", line=line@entry=0x45d, function=function@entry=0x506120 <__PRETTY_FUNCTION__.stbtt__buf_seek> "void stbtt__buf_seek(stbtt__buf *, int)") at assert.c:92 #3 0x00007ffff6e33412 in __GI___assert_fail (assertion=0x5060e0 <.str> "!(o > b->size || o < 0)", file=0x505b40 <.str> "./SRC/stb_truetype.h", line=0x45d, function=0x506120 <__PRETTY_FUNCTION__.stbtt__buf_seek> "void stbtt__buf_seek(stbtt__buf *, int)") at assert.c:101 #4 0x00000000004e7d2f in stbtt__buf_seek (b=0x7fffffffd960, o=0xffffff80) at ./SRC/stb_truetype.h:1117 #5 0x00000000004e1078 in stbtt_InitFont_internal (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", fontstart=0x0) at ./SRC/stb_truetype.h:1404 #6 0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", offset=0x0) at ./SRC/stb_truetype.h:4771 #7 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe458) at ../fuzzsrc/ttfuzz.c:29 #8 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe458, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe448) at ../csu/libc-start.c:310 #9 0x000000000041ad4a in _start ()
The text was updated successfully, but these errors were encountered:
CVE-2020-6619 was assigned for this issue.
Sorry, something went wrong.
The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.
No branches or pull requests
assertion failure in

stbtt__buf_seekcan be triggered by user supplied font file.poc:
poc.zip
result:
The text was updated successfully, but these errors were encountered: