Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • FreeType FreeType
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 59
    • Issues 59
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 17
    • Merge requests 17
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • FreeTypeFreeType
  • FreeTypeFreeType
  • Issues
  • #1138
Closed
Open
Issue created Mar 17, 2022 by frokaikan@frokaikan

heap-buffer-overflow on creating a face with strange file and invalid index

I compile freetype with ASAN and call FT_New_Face with the following code:

#include "ft2build.h"
#include FT_FREETYPE_H

int main (int argc, char **argv) {
    FT_Library lib;
    FT_Face face;

    FT_Init_FreeType(&lib);
    FT_New_Face(lib, argv[1], -4939615758108852224, &face);
}

and run with this file testface

I think FT_New_Face should return a non-zero value. However, ASAN reports like following:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000088 at pc 0x7fd51dd1048d bp 0x7ffdffb48a10 sp 0x7ffdffb48a08
READ of size 8 at 0x602000000088 thread T0
    #0 0x7fd51dd1048c in sfnt_init_face
    #1 0x7fd51dd60277 in tt_face_init
    #2 0x7fd51db84bf1 in open_face
    #3 0x7fd51db583c2 in ft_open_face_internal
    #4 0x7fd51db5764a in FT_New_Face
    #5 0x4c6c0b in main
    #6 0x7fd51d4f80b2 in __libc_start_main
    #7 0x41c2fd in _start

0x602000000088 is located 8 bytes to the left of 8-byte region [0x602000000090,0x602000000098)
allocated by thread T0 here:
    #0 0x494a3d in malloc
    #1 0x7fd51dbb8ea4 in ft_alloc
    #2 0x7fd51db7c1b1 in ft_mem_qalloc
    #3 0x7fd51db4cdb3 in ft_mem_alloc
    #4 0x7fd51dd298f3 in sfnt_open_font
    #5 0x7fd51dd1018c in sfnt_init_face
    #6 0x7fd51dd60277 in tt_face_init
    #7 0x7fd51db84bf1 in open_face
    #8 0x7fd51db583c2 in ft_open_face_internal
    #9 0x7fd51db5764a in FT_New_Face
    #10 0x4c6c0b in main
    #11 0x7fd51d4f80b2 in __libc_start_main 

SUMMARY: AddressSanitizer: heap-buffer-overflow in sfnt_init_face
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff8010: fa[fa]00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3906462==ABORTING
Edited Mar 17, 2022 by frokaikan
Assignee
Assign to
Time tracking