New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Verified
Owner: ----
Closed: Mar 2017
Cc:
Type: Bug-Security



Sign in to add a comment
freetype2: Heap-buffer-overflow in t1_builder_add_point
Project Member Reported by ClusterFuzz-External, Mar 23 2017 Back to list
Detailed report: https://oss-fuzz.com/testcase?key=5773760927891456

Project: freetype2
Fuzzer: libFuzzer_freetype2_ftfuzzer
Fuzz target binary: ftfuzzer
Job Type: libfuzzer_asan_freetype2
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 8
Crash Address: 0x60c00004f800
Crash State:
  t1_builder_add_point
  t1_decoder_parse_charstrings
  T1_Parse_Glyph_And_Get_Char_String
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_freetype2&range=201610262116:201610262300

Reproducer Testcase: https://oss-fuzz.com/download/AMIfv96EM2NXKRqSPlTUbwr-Db0iqdC4ZIjEIha-xd0Kgm8Jbc6739XNVAm5kFL7YqmLSZ0PWRx1w8eNYLepEvilnKDHS_1XlURhZHehNMqyZ9zCAZ2iyqjZR0bjzbCwe8qYQAqg4dH_Z1DtgEA1mj_FAdJvurTvBR5OQstqCP-r8yMcRn9HQDf_tdLYEHfrlbZDsDPZUxYIcezYCnkrYKi3oSX5XMW-rRVowyMAH7oJAcO2O5sSi-mqBT6ZyRxeSoeTEelhBsdbLwGh9FO6EtRKIt-WhHkjVzauD4khOxiHyJ_3vY5B5eOPnwOIksAnsvntsdCdHcWPqd7xGH6bQTwguxRxVfp9IYU92h1CwfCk8mBDd2_V3O2Rb6hbRacQSbKWGUnZlLU4-6hrIxn7_gsEmZFpBnhYrU2Dgn0G__UlJXzSgF0tuQg?testcase_id=5773760927891456


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
 
Project Member Comment 1 by ClusterFuzz-External, Mar 24 2017
Labels: OS-Linux
Fixed in git.
Project Member Comment 3 by ClusterFuzz-External, Mar 25 2017
ClusterFuzz has detected this issue as fixed in range 201703240143:201703241624.

Detailed report: https://oss-fuzz.com/testcase?key=5773760927891456

Project: freetype2
Fuzzer: libFuzzer_freetype2_ftfuzzer
Fuzz target binary: ftfuzzer
Job Type: libfuzzer_asan_freetype2
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 8
Crash Address: 0x60c000000900
Crash State:
  t1_builder_add_point
  t1_decoder_parse_charstrings
  T1_Parse_Glyph_And_Get_Char_String
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_freetype2&range=201610262116:201610262300
Fixed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_freetype2&range=201703240143:201703241624

Reproducer Testcase: https://oss-fuzz.com/download/AMIfv96EKU1zyaSKJYYk2bIAcgByg208VQGFccYYU0h9AsOJVp0oji2JCpMP1-mSSnXka46YnNsR0fWX8Cbv0ej4oshzyPdaad2m5OZoWqRB5hvrAtbjnLrVq92lszRxKN8MiXVW8BCN1WaX6Ys9B_rvSxfJqtbEtWD3_yTGmZMn3Hswh-s_FFzBPtn71RDvyUWRokbMYiTUYeTWEp2CBFg9NdUkYRDI_gU_e7r0-T_uLlsJh0aPzoIcE8p46JzyoF5dr4Z0uuP5Yh7P11hgXie0yyfWnyIZQ0ObLnExvr-HwVaXVHezSc4XoLhDFH1wogDkoaR0YsQKbvqUHbl1EKSSiD1VQpplKk2tLg-ys7ijccB_GVgt2lPGVJc2PTCtF30ykogJ1ofeZgqp6O1LlR4onxXtb8PUMiuposCWXyoLao5tYCCUK8M?testcase_id=5773760927891456


See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member Comment 4 by ClusterFuzz-External, Mar 25 2017
Labels: ClusterFuzz-Verified
Status: Verified
ClusterFuzz testcase 5773760927891456 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member Comment 5 by sheriffbot@chromium.org, Apr 24 2017
Labels: -restrict-view-commit
This bug has been fixed for 30 days. It has been opened to the public.

- Your friendly Sheriffbot
Project Member Comment 6 by aarya@google.com, Jul 3
Cc: hintak.l...@gmail.com
Sign in to add a comment