cairo: oss-fuzz integration
Submitted by pdknsk
Assigned to Chris Wilson @ickle
Link to original bug (#107386)
Description
I'm interested if you're interested in having cairo integrated into oss-fuzz.
https://github.com/google/oss-fuzz
You only have to give an email address to be notified at when new bugs are found, and also a basic commitment in principal to be interested in those bugs.
Since fuzzing cairo directly doesn't really work, I want to go the reverse route by having the fuzzer generate CairoScript, which is then interpreted and rendered. A minor problem with that approach is that bugs in cairo-script have to be fixed first before it can really get to finding bugs in cairo itself. I already found quite a few of the former in a brief run.
A sample.
==1466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d001b303f0 at pc 0x0000005a56f7 bp 0x7ffd1ddb5030 sp 0x7ffd1ddb5028 READ of size 4 at 0x62d001b303f0 thread T0 #0 0x5a56f6 in csi_object_reference cairo/util/cairo-script/cairo-script-objects.c:650:9 #1 (closed) 0x5c16b0 in _csi_push_ostack_copy cairo/util/cairo-script/./cairo-script-private.h:946:48 #2 0x5afd8f in _index cairo/util/cairo-script/cairo-script-operators.c:3445:12 #3 (closed) 0x5a5c88 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:633:9 #4 (closed) 0x5cffa2 in token_end cairo/util/cairo-script/cairo-script-scanner.c:507:11 #5 0x5ce416 in _scan_file cairo/util/cairo-script/cairo-script-scanner.c:1062:6 #6 0x5ccf86 in _csi_scan_file cairo/util/cairo-script/cairo-script-scanner.c:1408:5 #7 0x5a5d24 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:638:9 #8 (closed) 0x59eb28 in cairo_script_interpreter_feed_string cairo/util/cairo-script/cairo-script-interpreter.c:620:19
==25526==ERROR: AddressSanitizer: stack-overflow on address 0x7fffc8f48ff8 (pc 0x000000427525 bp 0x7fffc8f49850 sp 0x7fffc8f49000 T0) #0 0x427524 in __asan_memcpy llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 #1 (closed) 0x4d7520 in _cairo_path_buf_add_points cairo/src/cairo-path-fixed.c:803:5 #2 0x4d0fc6 in _cairo_path_fixed_add cairo/src/cairo-path-fixed.c:748:5 #3 (closed) 0x4d01bb in _cairo_path_fixed_line_to cairo/src/cairo-path-fixed.c:551:12 #4 (closed) 0x4774e0 in _cairo_default_context_rel_line_to cairo/src/cairo-default-context.c:815:12 #5 0x596f41 in INT_cairo_rel_line_to cairo/src/cairo.c:2003:14 #6 0x5b0672 in _rel_line_to cairo/util/cairo-script/cairo-script-operators.c:4288:5 #7 0x5a5c88 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:633:9 #8 (closed) 0x5a59b2 in _csi_array_execute cairo/util/cairo-script/cairo-script-objects.c:149:12 #9 0x5af7aa in _ifelse cairo/util/cairo-script/cairo-script-operators.c #10 (closed) 0x5a5c88 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:633:9 #11 0x5a59b2 in _csi_array_execute cairo/util/cairo-script/cairo-script-objects.c:149:12
==24929==ERROR: LeakSanitizer: detected memory leaks Direct leak of 512 byte(s) in 1 object(s) allocated from: #0 0x4284a3 in malloc llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 (closed) 0x5d35ce in _csi_stack_init cairo/util/cairo-script/cairo-script-stack.c:50:22 #2 0x5a4e30 in csi_array_new cairo/util/cairo-script/cairo-script-objects.c:59:11 #3 (closed) 0x5cfd79 in token_end cairo/util/cairo-script/cairo-script-scanner.c:447:15 #4 (closed) 0x5cdb07 in _scan_file cairo/util/cairo-script/cairo-script-scanner.c #5 0x5ccf86 in _csi_scan_file cairo/util/cairo-script/cairo-script-scanner.c:1408:5 #6 0x5a5d24 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:638:9 #7 0x59eb28 in cairo_script_interpreter_feed_string cairo/util/cairo-script/cairo-script-interpreter.c:620:19