We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
assertion failure in stbtt__cff_int can be triggered by user supplied font file.
stbtt__cff_int
poc: poc.zip
result:
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff6e43801 in __GI_abort () at abort.c:79 #2 0x00007ffff6e3339a in __assert_fail_base (fmt=0x7ffff6fba7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x505b00 <.str> "0", file=file@entry=0x505b40 <.str> "./SRC/stb_truetype.h", line=line@entry=0x49c, function=function@entry=0x5063c0 <__PRETTY_FUNCTION__.stbtt__cff_int> "stbtt_uint32 stbtt__cff_int(stbtt__buf *)") at assert.c:92 #3 0x00007ffff6e33412 in __GI___assert_fail (assertion=0x505b00 <.str> "0", file=0x505b40 <.str> "./SRC/stb_truetype.h", line=0x49c, function=0x5063c0 <__PRETTY_FUNCTION__.stbtt__cff_int> "stbtt_uint32 stbtt__cff_int(stbtt__buf *)") at assert.c:101 #4 0x00000000004e7c73 in stbtt__cff_int (b=0x7fffffffd980) at ./SRC/stb_truetype.h:1180 #5 0x00000000004ea9e6 in stbtt__cff_skip_operand (b=0x7fffffffd980) at ./SRC/stb_truetype.h:1195 #6 0x00000000004ea430 in stbtt__dict_get (b=0x7fffffffd980, key=0x11) at ./SRC/stb_truetype.h:1205 #7 0x00000000004e9bc3 in stbtt__dict_get_ints (b=0x7fffffffd980, key=0x11, outcount=0x1, out=0x7fffffffd9d0) at ./SRC/stb_truetype.h:1217 #8 0x00000000004e0924 in stbtt_InitFont_internal (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", fontstart=0x0) at ./SRC/stb_truetype.h:1386 #9 0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", offset=0x0) at ./SRC/stb_truetype.h:4771 #10 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe458) at ../fuzzsrc/ttfuzz.c:29 #11 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe458, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe448) at ../csu/libc-start.c:310 #12 0x000000000041ad4a in _start ()
The text was updated successfully, but these errors were encountered:
CVE-2020-6617 was assigned for this issue.
Sorry, something went wrong.
The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.
No branches or pull requests
assertion failure in
stbtt__cff_int
can be triggered by user supplied font file.poc:
poc.zip
result:
The text was updated successfully, but these errors were encountered: