Bug 1467226 - There is an illegal address access in freetype2.
There is an illegal address access in freetype2.
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: freetype (Show other bugs)
7.5-Alt
Unspecified Unspecified
unspecified Severity urgent
: rc
: ---
Assigned To: Marek Kašík
Desktop QE
:
: 1467221 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-03 03:59 EDT by owl337
Modified: 2017-07-03 07:12 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-03 07:12:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
It is triggered by "./example2 POC1" (80.86 KB, application/x-rar)
2017-07-03 03:59 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-03 03:59:54 EDT
Created attachment 1293773 [details]
It is triggered by "./example2 POC1"

Description of problem:

There is memory access error at function FT_Request_Size() at line ftobjs.c.

Version-Release number of selected component (if applicable):

<=latest

How reproducible:

./example2 POC1 

Steps to Reproduce:

The output information is as follows:

$./example2 POC1 @ 

ASAN:DEADLYSIGNAL
=================================================================
==77600==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0ca4a49816 bp 0x7ffe2626af70 sp 0x7ffe2626ae80 T0)
    #0 0x7f0ca4a49815  (/home/icy/real/freetype2-asan/install/lib/libfreetype.so.6+0x48815)
    #1 0x7f0ca4a49e7f  (/home/icy/real/freetype2-asan/install/lib/libfreetype.so.6+0x48e7f)
    #2 0x4eed43  (/home/icy/real/freetype2-asan/install/bin/example2+0x4eed43)
    #3 0x4f1dc5  (/home/icy/real/freetype2-asan/install/bin/example2+0x4f1dc5)
    #4 0x7f0ca378d82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x419a78  (/home/icy/real/freetype2-asan/install/bin/example2+0x419a78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/icy/real/freetype2-asan/install/lib/libfreetype.so.6+0x48815) 
==77600==ABORTING

The GDB debugging information is as follows:

(gdb) set args POC1 @ 
(gdb) r
...
Breakpoint 2, FT_Request_Size (face=0x604d90, req=0x7fffffffdf60)
    at /home/icy/real/freetype2/src/base/ftobjs.c:3073
3073	    face->size->internal->autohint_metrics.x_scale = 0;
(gdb) p face->size->internal
$5 = (FT_Size_Internal) 0x2680020394225ff
(gdb) p face->size->internal->autohint_metrics.x_scale
Cannot access memory at address 0x268002039422617

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff781e2e7 in FT_Request_Size (face=0x604d90, req=0x7fffffffdf60)
    at /home/icy/real/freetype2/src/base/ftobjs.c:3073
3073	    face->size->internal->autohint_metrics.x_scale = 0;
(gdb) bt
#0  0x00007ffff781e2e7 in FT_Request_Size (face=0x604d90, req=0x7fffffffdf60)
    at /home/icy/real/freetype2/src/base/ftobjs.c:3073
#1  0x00007ffff781e8b6 in FT_Set_Char_Size (face=0x7ffff7bbbfd0, char_width=64, char_height=64, 
    horz_resolution=72, vert_resolution=72) at /home/icy/real/freetype2/src/base/ftobjs.c:3169
Python Exception <class 'gdb.error'> There is no member named _M_dataplus.: 
#2  0x0000000000402146 in WriteGlyphAsTGA (library=@0x7fffffffe3b0: 0x627c50, fileName=, ch=66 L'B', 
    face=@0x7fffffffe1a0: 0x604d90, size=<optimized out>, fontCol=..., outlineCol=..., outlineWidth=3)
    at example2.cpp:228
#3  0x0000000000403292 in main (argc=<optimized out>, argv=<optimized out>) at example2.cpp:381

There is memory access error at function FT_Request_Size() at line ftobjs.c:3073. 

3056   FT_EXPORT_DEF( FT_Error )
3057   FT_Request_Size( FT_Face          face,
3058                    FT_Size_Request  req )
3059   {
...
3070 
3071     /* signal the auto-hinter to recompute its size metrics */
3072     /* (if requested)                                       */
3073     face->size->internal->autohint_metrics.x_scale = 0;
3074 
3075     clazz = face->driver->clazz;


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Marek Kašík 2017-07-03 04:07:29 EDT
*** Bug 1467221 has been marked as a duplicate of this bug. ***
Comment 3 Marek Kašík 2017-07-03 07:12:14 EDT
This is not a bug in freetype. The reproducer wrongly access memory which was uninitialized in itself.
There are 2 ways how to avoid this crash. The first (and the one which should really be done) is to check result of the "FT_New_Memory_Face()" for error. And second one is to initialize the "face" variable to NULL.

Note You need to log in before you can comment on or make changes to this bug.