bugThe FreeType Project - Bugs: bug #46019, infinite loop in...

 
 

You are not allowed to post comments on this tracker with your current authentication level.

bug #46019: infinite loop in af_face_globals_compute_style_coverage

Submitter:  Kostya Serebryany <kcc>
Submitted:  Tue 22 Sep 2015 04:44:31 AM UTC
   
 
Severity:  3 - Normal Item Group:  None
Status:  Fixed Privacy:  Public
Assigned to:  wl Open/Closed:  Closed
Planned Release:  2.6.1

Thu 24 Sep 2015 11:46:09 AM UTC, comment #2: 

Thanks for the report.  Fixed in git now.  This took a lot of time since I have taken the opportunity to completely revise the handling of malformed input for all cmap formats.

Note that by design a format 13 cmap can still take ages to iterate over all glyph indices, cf. https://www.microsoft.com/typography/otspec/cmap.htm.

 Werner LEMBERG <wl>
Group administrator
Tue 22 Sep 2015 04:02:21 PM UTC, comment #1: 

Correction. The test actually finishes in ~ 1 hour.

 Kostya Serebryany <kcc>
Group Member
Tue 22 Sep 2015 04:44:31 AM UTC, original submission:  

found on fresh git with libFuzzer (on x86_64 Linux)

Feed the attached file to the following target function,
it'll never finish.

The stack trace:

#0  tt_cmap12_next
#1  0x0000000000447a59 in tt_cmap12_char_next
#2  0x000000000040b6b7 in FT_Get_Next_Char
#3  0x0000000000457f18 in af_face_globals_compute_style_coverage
#4  af_face_globals_new
#5  0x0000000000458861 in af_loader_reset
#6  af_loader_load_glyph
#7  af_autofitter_load_glyph
#8  0x000000000040dcda in FT_Load_Glyph
#9  0x0000000000407925 in TestOneInput


void TestOneInput(const unsigned char *data, size_t size) {
  FT_Face face;
  if (size < 1) return;
  FT_Int32 load_flags = FT_LOAD_DEFAULT;
  FT_Render_Mode  render_mode = FT_RENDER_MODE_NORMAL;
  if (!FT_New_Memory_Face(library, data, size, 0, &face)) {
    unsigned first_index = 0;
    for (unsigned i = first_index; i < (unsigned int)face->num_glyphs; i++) {
      if (FT_Load_Glyph(face, i, load_flags)) continue;
      if (FT_Render_Glyph(face->glyph, render_mode)) continue;
    }
    FT_Done_Face(face);
  }
}

This is probably a bug by itself, but also cases like this
completely ruin our ability to fuzz FT_Load_Glyph

 Kostya Serebryany <kcc>
Group Member

 

(Note: upload size limit is set to 16384 kB, after insertion of the required escape characters.)

Attached Files
file #34948:  timeout-4b11585ea4b81aef7b727dcd8b09d5bf68463709 added by kcc (1KiB - application/octet-stream)

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -email is unavailable- added by wl (Posted a comment)
  • -email is unavailable- added by kcc (Submitted the item)

    •  

    There are 0 votes so far. Votes easily highlight which items people would like to see resolved in priority, independently of the priority of the item set by tracker managers.

     

    Follow 5 latest changes.

    Date Changed by Updated Field Previous Value => Replaced by
    2015-09-24 wl StatusNone Fixed
        Assigned toNone wl
        Open/ClosedOpen Closed
        Planned ReleaseNone 2.6.1
    2015-09-22 kcc Attached File- Added timeout-4b11585ea4b81aef7b727dcd8b09d5bf68463709, #34948

    Back to the top

    Copyright © 2024 Free Software Foundation, Inc.
    Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.
    The Levitating, Meditating, Flute-playing Gnu logo is a GNU GPL'ed image provided by the Nevrax Design Team.
    Page source code

    Powered by Savane 3.13-ee12.
    Corresponding source code