The FreeType Project - Bugs: bug #46149, signed integer overflow in 29...
You are not allowed to post comments on this tracker with your current authentication level.
bug #46149: signed integer overflow in 29 places in 32-bit mode
Submitter: | Kostya Serebryany <kcc> | ||
Submitted: | Thu 08 Oct 2015 01:30:47 AM UTC | ||
Severity: | 3 - Normal | Item Group: | None |
Status: | Fixed | Privacy: | Public |
Assigned to: | wl | Open/Closed: | Closed |
Planned Release: | 2.8.1 |
Jump to the original submission
Thu 01 Jun 2017 06:19:12 PM UTC, comment #23: |
Werner LEMBERG <wl> |
Thu 01 Jun 2017 06:01:37 PM UTC, comment #22: Do you mind if we move the conversation to https://github.com/google/oss-fuzz/issues ? |
Kostya Serebryany <kcc> |
Thu 01 Jun 2017 05:59:46 PM UTC, comment #21: Sounds interesting! Since FreeType's docker file doesn't contain any apt-get command for libraries, I assume that some (all?) are available by default, i.e., libpng, libharfbuzz, etc. However, I guess that 32bit libraries are not installed. |
Werner LEMBERG <wl> |
Thu 01 Jun 2017 05:32:17 PM UTC, comment #20: When I fuzzed 32-bit FreeType I did it manually. |
Kostya Serebryany <kcc> |
Thu 01 Jun 2017 05:13:36 PM UTC, comment #19: Thanks! It's a pity that you (no longer?) do 32bit fuzzying – I guess this shows problems much earlier... |
Werner LEMBERG <wl> |
Thu 01 Jun 2017 04:31:03 PM UTC, comment #18: Done: |
Kostya Serebryany <kcc> |
Thu 01 Jun 2017 04:28:42 PM UTC, comment #17: All those overflows should now be fixed in git. Please activate the sanitizer again! |
Werner LEMBERG <wl> |
Tue 20 Oct 2015 10:57:26 PM UTC, comment #16: The libFuzzer bot is not using -fsanitize=unsigned-integer-overflow any more. |
Kostya Serebryany <kcc> |
Mon 19 Oct 2015 05:04:20 AM UTC, comment #15: Yes, please switch it off. It will take some time until I have time to implement the ideas from comment #8. |
Werner LEMBERG <wl> |
Fri 16 Oct 2015 08:33:05 PM UTC, comment #14: the bot is finding more integer overflows in 64-bot too. |
Kostya Serebryany <kcc> |
Thu 15 Oct 2015 06:10:41 AM UTC, comment #13: Can you provide patches and send them to the list? |
Werner LEMBERG <wl> |
Tue 13 Oct 2015 03:56:12 PM UTC, comment #12: The pcf overflows can also be fixed. Even though the PCF format specifies fottAscent and fontDescent as int32, the ultimate bitmap height is FT_Short. We might be able to truncate the input and, perhaps, change bitmap height to FT_UShort. |
Alexei Podtelezhnikov <podtelez> |
Mon 12 Oct 2015 03:12:50 PM UTC, comment #11: The t1decode overflows can be fixed. t1_builder_add_point ultimately does this: |
Alexei Podtelezhnikov <podtelez> |
Thu 08 Oct 2015 09:55:13 PM UTC, comment #10: You can declare it as inline, yes. I think there will be no penalty. This function will likely be inlined by the compiler, and the arithmetic ops in it will not be checked by UBSan. |
Alexey Samsonov <vonosmas> |
Thu 08 Oct 2015 09:26:36 PM UTC, comment #9: OK, thanks. Is there a penalty for using such a function (which should probably defined as inline)? |
Werner LEMBERG <wl> |
Thu 08 Oct 2015 08:06:33 PM UTC, comment #8: As #7 suggests, you can move the arithmetic operations that can lead to signed-integer-overflow (but this overflow is believe to be "harmless") to a separate function and annotate it with |
Alexey Samsonov <vonosmas> |
Thu 08 Oct 2015 05:58:06 PM UTC, comment #7:
|
Kostya Serebryany <kcc> |
Thu 08 Oct 2015 05:28:58 PM UTC, comment #6: Some of the overflows you've found are in linear algebra concerned with different transformations of glyph contour coordinates. You might get a crazy looking image as a result of the overflow but nothing with security implications. No? |
Alexei Podtelezhnikov <podtelez> |
Thu 08 Oct 2015 05:19:22 PM UTC, comment #5: Please do so! Maybe there are not many libraries that need such a thing, so I'm really interested to hear more opinions :-) |
Werner LEMBERG <wl> |
Thu 08 Oct 2015 05:08:55 PM UTC, comment #4: A reasonable way to tag an overflow as "don't worry" is to |
Kostya Serebryany <kcc> |
Thu 08 Oct 2015 02:38:23 PM UTC, comment #3: [CCing Behdad also] |
Werner LEMBERG <wl> |
Thu 08 Oct 2015 01:49:25 PM UTC, comment #2: I agree that is paranoid. I wonder if overflows are triggered by crazy large char_size and char_width in FT_Set_Char_Size or by crazy units_per_EM. |
Alexei Podtelezhnikov <podtelez> |
Thu 08 Oct 2015 05:06:30 AM UTC, comment #1: Thanks a lot! |
Werner LEMBERG <wl> |
Thu 08 Oct 2015 01:30:47 AM UTC, original submission:
found with libFuzzer+ubsan in 32-bit mode on fresh git. |
Kostya Serebryany <kcc> |
Depends on the following items: None found
Items that depend on this one: None found
There are 0 votes so far. Votes easily highlight which items people would like to see resolved in priority, independently of the priority of the item set by tracker managers.
Follow 10 latest changes.
Date | Changed by | Updated Field | Previous Value | => | Replaced by |
---|---|---|---|---|---|
2017-06-01 | wl | Status | Postponed | Fixed | |
Open/Closed | Open | Closed | |||
Planned Release | None | 2.8.1 | |||
2015-10-21 | wl | Status | None | Postponed | |
Assigned to | None | wl | |||
2015-10-08 | kcc | Carbon-Copy | - | Added -email is unavailable- | |
2015-10-08 | wl | Carbon-Copy | - | Added behdad | |
2015-10-08 | wl | Carbon-Copy | - | Added apodtele | |
Carbon-Copy | - | Added darnold | |||
2015-10-08 | kcc | Attached File | - | Added OVERFLOW-32bit.tgz, #35096 |
Powered by Savane 3.13-6ae7.
Corresponding source code
Done.
https://github.com/google/oss-fuzz/issues/643