[cairo] Anyone interested in fuzzing issues?

Uli Schlachter psychon at znc.in
Wed Dec 16 20:08:52 UTC 2020


Am 16.12.20 um 20:29 schrieb Albert Astals Cid:
> We recently added fuzzing to the cairo renderer in poppler and we're getting quite some issues like

Do you have some links? Which inputs do which function are you fuzzing?
I'm curious. A quick search didn't find any relevant code.

> ==937==ERROR: AddressSanitizer: SEGV on unknown address 0x621ffffffbf1 (pc 0x00000128668c bp 0x7fff021c0130 sp 0x7fff021c0130 T0)
> The signal is caused by a READ memory access.
> 	    #0 0x128668c in get_unaligned_be16 cairo/src/cairoint.h:254:12

This is only called by cairo-cff-subset.c. So, something in there
managed to produce a broken pointer. Cannot say much without a backtrace.

> ==16677==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000ab0 at pc 0x000001284abe bp 0x7ffcd2a139c0 sp 0x7ffcd2a139b8
> WRITE of size 4 at 0x61e000000ab0 thread T0
> 	    #0 0x1284abd in cairo_cff_font_read_fdselect cairo/src/cairo-cff-subset.c:995:35

Fun fact: This calls get_unaligned_be16(), so might be closely related
to the above point.

The code here seems to... do something with font data? It blindly trusts
the data in the font and writes to an array with a size that was also
read from the font data.

> ==82684==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000001183711 bp 0x7fff8230a940 sp 0x7fff8230a840 T0)
> The signal is caused by a READ memory access.
> 	    #0 0x1183711 in cairo_cff_font_subset_charstrings_and_subroutines cairo/src/cairo-cff-subset.c:1792:45

Random guess: You are fuzzing "font stuff" and the font maps something
to glyph 0 (or more generally: "is somehow seriously broken /

> Anyone interested in the full traces/files to reproduce those issues?

Sure, why not. I might have some time after Christmas, but I cannot
promise anything.

Depending on volume, you could also feed your findings into the bugtracker.

I don't really know this font stuff, but it seems like you are feeding a
broken font into code that was not meant to deal with malicious fonts.

Related: Could you take a look at
https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/69? Google
has an intern who wrote some fuzzing targets for cairo. Perhaps they
have a similar approach or your and their effort could be integrated?

Who needs a ~/.signature anyway?

More information about the cairo mailing list