Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
assertion failure in stbtt__cff_get_index can be triggered by user supplied file.
poc: poc.zip
result:
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff6e43801 in __GI_abort () at abort.c:79 #2 0x00007ffff6e3339a in __assert_fail_base (fmt=0x7ffff6fba7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x5060a0 <.str> "offsize >= 1 && offsize <= 4", file=file@entry=0x505b40 <.str> "./SRC/stb_truetype.h", line=line@entry=0x48d, function=function@entry=0x5062c0 <__PRETTY_FUNCTION__.stbtt__cff_get_index> "stbtt__buf stbtt__cff_get_index(stbtt__buf *)") at assert.c:92 #3 0x00007ffff6e33412 in __GI___assert_fail (assertion=0x5060a0 <.str> "offsize >= 1 && offsize <= 4", file=0x505b40 <.str> "./SRC/stb_truetype.h", line=0x48d, function=0x5062c0 <__PRETTY_FUNCTION__.stbtt__cff_get_index> "stbtt__buf stbtt__cff_get_index(stbtt__buf *)") at assert.c:101 #4 0x00000000004e9fda in stbtt__cff_get_index (b=0x7fffffffd960) at ./SRC/stb_truetype.h:1165 #5 0x00000000004e0591 in stbtt_InitFont_internal (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", fontstart=0x0) at ./SRC/stb_truetype.h:1381 #6 0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe1c0, data=0x629000000200 "OTTO", offset=0x0) at ./SRC/stb_truetype.h:4771 #7 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe458) at ../fuzzsrc/ttfuzz.c:29 #8 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe458, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe448) at ../csu/libc-start.c:310 #9 0x000000000041ad4a in _start ()
The text was updated successfully, but these errors were encountered:
CVE-2020-6623 was assigned for this issue.
Sorry, something went wrong.
The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.
No branches or pull requests
assertion failure in stbtt__cff_get_index can be triggered by user supplied file.
poc:
poc.zip
result:
The text was updated successfully, but these errors were encountered: