Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

assertion failure in stbtt__cff_get_index in stb_truetype.h #865

Closed
sleicasper opened this issue Jan 6, 2020 · 2 comments
Closed

assertion failure in stbtt__cff_get_index in stb_truetype.h #865

sleicasper opened this issue Jan 6, 2020 · 2 comments

Comments

@sleicasper
Copy link

assertion failure in stbtt__cff_get_index can be triggered by user supplied file.

source

poc:
poc.zip

result:

#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6e43801 in __GI_abort () at abort.c:79
#2  0x00007ffff6e3339a in __assert_fail_base (fmt=0x7ffff6fba7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x5060a0 <.str> "offsize >= 1 && offsize <= 4",
    file=file@entry=0x505b40 <.str> "./SRC/stb_truetype.h", line=line@entry=0x48d,
    function=function@entry=0x5062c0 <__PRETTY_FUNCTION__.stbtt__cff_get_index> "stbtt__buf stbtt__cff_get_index(stbtt__buf *)") at assert.c:92
#3  0x00007ffff6e33412 in __GI___assert_fail (assertion=0x5060a0 <.str> "offsize >= 1 && offsize <= 4",
    file=0x505b40 <.str> "./SRC/stb_truetype.h", line=0x48d,
    function=0x5062c0 <__PRETTY_FUNCTION__.stbtt__cff_get_index> "stbtt__buf stbtt__cff_get_index(stbtt__buf *)")
    at assert.c:101
#4  0x00000000004e9fda in stbtt__cff_get_index (b=0x7fffffffd960) at ./SRC/stb_truetype.h:1165
#5  0x00000000004e0591 in stbtt_InitFont_internal (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", fontstart=0x0)
    at ./SRC/stb_truetype.h:1381
#6  0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", offset=0x0)
    at ./SRC/stb_truetype.h:4771
#7  0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe458) at ../fuzzsrc/ttfuzz.c:29
#8  0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe458,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe448)
    at ../csu/libc-start.c:310
#9  0x000000000041ad4a in _start ()
@carnil
Copy link

carnil commented Jan 10, 2020

CVE-2020-6623 was assigned for this issue.

@nothings
Copy link
Owner

nothings commented Jul 4, 2021

The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.

@nothings nothings closed this as completed Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants