Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failure in stbtt__cff_int in stb_truetype.h #864

Closed
sleicasper opened this issue Jan 6, 2020 · 2 comments
Closed

assertion failure in stbtt__cff_int in stb_truetype.h #864

sleicasper opened this issue Jan 6, 2020 · 2 comments
Labels
1 stb_truetype

Comments

@sleicasper
Copy link

assertion failure in stbtt__cff_int can be triggered by user supplied font file.

source

poc:
poc.zip

result:

#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6e43801 in __GI_abort () at abort.c:79
#2  0x00007ffff6e3339a in __assert_fail_base (fmt=0x7ffff6fba7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x505b00 <.str> "0", file=file@entry=0x505b40 <.str> "./SRC/stb_truetype.h",
    line=line@entry=0x49c,
    function=function@entry=0x5063c0 <__PRETTY_FUNCTION__.stbtt__cff_int> "stbtt_uint32 stbtt__cff_int(stbtt__buf *)")
    at assert.c:92
#3  0x00007ffff6e33412 in __GI___assert_fail (assertion=0x505b00 <.str> "0",
    file=0x505b40 <.str> "./SRC/stb_truetype.h", line=0x49c,
    function=0x5063c0 <__PRETTY_FUNCTION__.stbtt__cff_int> "stbtt_uint32 stbtt__cff_int(stbtt__buf *)")
    at assert.c:101
#4  0x00000000004e7c73 in stbtt__cff_int (b=0x7fffffffd980) at ./SRC/stb_truetype.h:1180
#5  0x00000000004ea9e6 in stbtt__cff_skip_operand (b=0x7fffffffd980) at ./SRC/stb_truetype.h:1195
#6  0x00000000004ea430 in stbtt__dict_get (b=0x7fffffffd980, key=0x11) at ./SRC/stb_truetype.h:1205
#7  0x00000000004e9bc3 in stbtt__dict_get_ints (b=0x7fffffffd980, key=0x11, outcount=0x1, out=0x7fffffffd9d0)
    at ./SRC/stb_truetype.h:1217
#8  0x00000000004e0924 in stbtt_InitFont_internal (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", fontstart=0x0)
    at ./SRC/stb_truetype.h:1386
#9  0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", offset=0x0)
    at ./SRC/stb_truetype.h:4771
#10 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe458) at ../fuzzsrc/ttfuzz.c:29
#11 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe458,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe448)
    at ../csu/libc-start.c:310
#12 0x000000000041ad4a in _start ()
@carnil
Copy link

carnil commented Jan 10, 2020

CVE-2020-6617 was assigned for this issue.

@nothings
Copy link
Owner

nothings commented Jul 4, 2021

The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.

@nothings nothings closed this as completed Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 stb_truetype
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @nothings @sleicasper