New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner: ----
Closed: Mar 2017
Cc:
Type: Bug-Security



Sign in to add a comment
link

Issue 941: freetype2: Heap-buffer-overflow in psh_glyph_init

Reported by ClusterFuzz-External, Mar 25 2017 Project Member

Issue description

Detailed report: https://oss-fuzz.com/testcase?key=6729909500116992

Project: freetype2
Fuzzer: libFuzzer_freetype2_ftfuzzer
Fuzz target binary: ftfuzzer
Job Type: libfuzzer_asan_freetype2
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 8
Crash Address: 0x611000000258
Crash State:
  psh_glyph_init
  ps_hints_apply
  t1_decoder_parse_charstrings
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_freetype2&range=201610262116:201610262300

Reproducer Testcase: https://oss-fuzz.com/download/AMIfv97P4O3NXl4wE1Hp3UodnmRKsL6Zl9fUQ2LVU8Nu7W3agF2wMdJZyErIH1kts7abBU8ZF1RxJOXya2Bxia4EWlY_CP0pOAWeCvZnCxFaRKo8M4NEPfBpUsd0300RZo89gX1wEh8kjpKS1Z3fZdA0feD6bSMt1nu6pWdp5JVMT3h7kzT5xOOGB9Jrx8fEHJAgcrjkYW-Mg3mO44Ifwp_-q5vSA7Da5o67oDFL1SlRvBkP6hGwKCgXzwHApm1mzBG0J_BRrw6ob8YaL1nmzPXUidlY-T4vksApn2nAE31Aue1TLRNpwncVi_nqZe7XPTKgQTO3-SU3m_X-kMaM8CwN76o47RF-43EgMNkgBblcp7lCw6P6GWu_NVlpUGYZSjiAPT1JjXlrhrgtMQq_vhXK07maJ5Ce6Bl9eSvJ_uyj_kTifPOZWXM?testcase_id=6729909500116992


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
 

Comment 1 by ClusterFuzz-External, Mar 25 2017

Project Member
Labels: OS-Linux

Comment 2 by lemzw...@googlemail.com, Mar 26 2017

Fixed in git.

Comment 3 by ClusterFuzz-External, Mar 27 2017

Project Member
ClusterFuzz has detected this issue as fixed in range 201703251632:201703261626.

Detailed report: https://oss-fuzz.com/testcase?key=6729909500116992

Project: freetype2
Fuzzer: libFuzzer_freetype2_ftfuzzer
Fuzz target binary: ftfuzzer
Job Type: libfuzzer_asan_freetype2
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 8
Crash Address: 0x611000000258
Crash State:
  psh_glyph_init
  ps_hints_apply
  t1_decoder_parse_charstrings
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_freetype2&range=201610262116:201610262300
Fixed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_freetype2&range=201703251632:201703261626

Reproducer Testcase: https://oss-fuzz.com/download/AMIfv97P4O3NXl4wE1Hp3UodnmRKsL6Zl9fUQ2LVU8Nu7W3agF2wMdJZyErIH1kts7abBU8ZF1RxJOXya2Bxia4EWlY_CP0pOAWeCvZnCxFaRKo8M4NEPfBpUsd0300RZo89gX1wEh8kjpKS1Z3fZdA0feD6bSMt1nu6pWdp5JVMT3h7kzT5xOOGB9Jrx8fEHJAgcrjkYW-Mg3mO44Ifwp_-q5vSA7Da5o67oDFL1SlRvBkP6hGwKCgXzwHApm1mzBG0J_BRrw6ob8YaL1nmzPXUidlY-T4vksApn2nAE31Aue1TLRNpwncVi_nqZe7XPTKgQTO3-SU3m_X-kMaM8CwN76o47RF-43EgMNkgBblcp7lCw6P6GWu_NVlpUGYZSjiAPT1JjXlrhrgtMQq_vhXK07maJ5Ce6Bl9eSvJ_uyj_kTifPOZWXM?testcase_id=6729909500116992


See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by ClusterFuzz-External, Mar 27 2017

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: New)
ClusterFuzz testcase 6729909500116992 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 5 by sheriffbot@chromium.org, Apr 26 2017

Project Member
Labels: -restrict-view-commit
This bug has been fixed for 30 days. It has been opened to the public.

- Your friendly Sheriffbot

Comment 6 by aarya@google.com, Jul 3 2017

Project Member
Cc: hintak.l...@gmail.com

Sign in to add a comment