I'll check if this is fixed in latest FreeType or if we need to ask for someone upstream to fix it.

Not fixed yet.

OK, please send me the triggering snippet privately.

Thanks for the testcase, Nicolás.  However, I couldn't reproduce the issue with either ftfuzzer or ftbench of current git: FreeType refuses to load this file, aborting with

  FT_Open_Face: Return 0x3
  couldn't load font resource

So the question is why chromium is able to load this font...

Just to be sure: The file I received has an MD5 checksum of d7f4bec52f45a7f6e807e108ebda8140.

I stumbled on this issue while browsing Stability-Libfuzzer tagged issues. The file with MD5 checksum d7f4bec52f45a7f6e807e108ebda8140 is the raw input to the pdf_font_fuzzer (which is the output of a Chromium build target). Reproducing involves checking out Chromium, then building and running pdf_font_fuzzer as described in the 'reproducing.md' link in the original report. Also, if you're debugging it and trying to extract some data, knowing magic things like adding 'sanitizer_keep_symbols = true' is needed. And also getting ubsan to actually break in a debugger when you want it to. This is a ton of work for someone not working directly on Chromium.

However, looking at https://cs.chromium.org/chromium/src/third_party/pdfium/testing/libfuzzer/pdf_font_fuzzer.cc it appears the 'font data' is everything after the first two bytes. I'm attaching that.

It looks like the relevant set of calls is

int glyph_index = 0x33;
FT_Face face;
FT_New_Memory_Face(library, <attached_data>, <attached_data_size>, 0, &face);
FT_Set_Pixel_Sizes(face, 64, 64);
FT_Load_Glyph(face, glyph_index, FT_LOAD_NO_SCALE | FT_LOAD_IGNORE_GLOBAL_ADVANCE_WIDTH);

though note that I haven't actually run this reduction.

Deleted: clusterfuzz-testcase-minimized-4646829617840128-font.bin 559 bytes

clusterfuzz-testcase-minimized-4646829617840128-font.bin 559 bytes Download

All that being said, I just locally rolled FreeType in Chromium (fairly easy to do now, just run <chromium_src>/third_party/freetype/roll-freetype.sh ) and this appears to already be fixed by https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/933f4cbe792b777b826282dba9e55edb7b22a14d which landed a few days ago. I will start a roll to pick this up.

Thanks for confirming that I don't have anything to do :-)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4866b639cbb4b6986ed3b7af1f5d872747b195c6

commit 4866b639cbb4b6986ed3b7af1f5d872747b195c6
Author: Ben Wagner <bungeman@chromium.org>
Date: Thu Aug 03 08:21:17 2017

Roll src/third_party/freetype/src/ 38bdf22bf..7e5082428 (5 commits)

https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+log/38bdf22bfe68..7e50824288fa

$ git log 38bdf22bf..7e5082428 --date=short --no-merges --format='%ad %ae %s'
2017-08-01 wl * src/truetype/ttgxvar.c (TT_Get_MM_Var): Fix thinko.
2017-08-01 wl Update CHANGES file.
2017-08-01 behdad [truetype] Fix loading of named instances.
2017-08-01 wl [sfnt, truetype] Minor adjustments for OpenType 1.8.2.
2017-07-26 wl [cff] Integer overflow.

Created with:
  roll-dep src/third_party/freetype/src
R=wangxianzhu@chromium.org,michaelbai@chromium.org,bungeman@chromium.org,drott@chromium.org

BUG= chromium:738343 

Change-Id: If5ac9de7dce76fdf808cfb1d7c95125784831708
Reviewed-on: https://chromium-review.googlesource.com/598118
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Dominik Röttsches <drott@chromium.org>
Cr-Commit-Position: refs/heads/master@{#491676}
[modify] https://crrev.com/4866b639cbb4b6986ed3b7af1f5d872747b195c6/DEPS
[modify] https://crrev.com/4866b639cbb4b6986ed3b7af1f5d872747b195c6/third_party/freetype/README.chromium

Sorry that I missed comment#4, and I did forget to mention that our fuzzer testcases use the first two bytes for other purposes so really the input for FT should be the fuzzer input minus those two bytes... Thankfully it seems fixed now. I'll roll FT on PDFium as well.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/964e56bef136014c9ba47e579993872b95f9782e

commit 964e56bef136014c9ba47e579993872b95f9782e
Author: Nicolas Pena <npm@chromium.org>
Date: Thu Aug 03 17:19:40 2017

Roll FreeType to 7e50824288fac5a36c2938fdb3e1c949ea53f982

Bug:  chromium:738343 
Change-Id: Ia5651c50c7f54a79533ebecbee8c020c289afda2
Reviewed-on: https://pdfium-review.googlesource.com/10031
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

[modify] https://crrev.com/964e56bef136014c9ba47e579993872b95f9782e/third_party/freetype/README.pdfium
[modify] https://crrev.com/964e56bef136014c9ba47e579993872b95f9782e/DEPS

ClusterFuzz has detected this issue as fixed in range 491668:491697.

Detailed report: https://clusterfuzz.com/testcase?key=4646829617840128

Fuzzer: libFuzzer_pdf_font_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cf2_glyphpath_curveTo
  cf2_interpT2CharString
  cf2_getGlyphOutline
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=483358:483512
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=491668:491697

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4646829617840128


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4646829617840128 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.