FT_Stream_Read with buffer NULL and count 0
Consider the following UndefinedBehavior Sanitizer report at current HEAD a20de84e
../../third_party/freetype/src/src/base/ftstream.c:144:7: runtime error: null pointer passed as argument 1, which is declared to never be null
../../build/linux/debian_bullseye_amd64-sysroot/usr/include/string.h:44:28: note: nonnull attribute specified here
#0 0x5599ea220bc6 in FT_Stream_ReadAt third_party/freetype/src/src/base/ftstream.c:144:7
#1 0x5599ea30d7c8 in tt_var_load_item_variation_store third_party/freetype/src/src/truetype/ttgxvar.c:687:12
#2 0x5599ea31cae7 in ft_var_load_hvvar third_party/freetype/src/src/truetype/ttgxvar.c:933:13
#3 0x5599ea31c2b2 in tt_hvadvance_adjust third_party/freetype/src/src/truetype/ttgxvar.c:1192:35
#4 0x5599ea2c1ae1 in tt_face_get_metrics third_party/freetype/src/src/sfnt/ttmtx.c:319:11
#5 0x5599ea23c6f1 in cff_slot_load third_party/freetype/src/src/cff/cffgload.c:660:11
#6 0x5599ea202f64 in FT_Load_Glyph third_party/freetype/src/src/base/ftobjs.c:1066:15
#7 0x5599ea201741 in FT_Get_Advances third_party/freetype/src/src/base/ftadvanc.c:160:15
The issue is that in tt_var_load_item_variation_store
if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
goto Exit;
if ( FT_Stream_Read( stream,
varData->deltaSet,
per_region_size * item_count ) )
per_region_size * item_count
was 0
so FT_NEW_ARRAY
set varData->deltaSet
to NULL
(because that's how ft_mem_qrealloc
works) and did not return any error. In FT_Stream_ReadAt
this is a memory based stream (stream->read
is NULL
) so it attempts to FT_MEM_COPY
which is memcpy
which specifies that it is UB for either the src
or dst
to be NULL
.