[cairo] Anyone interested in fuzzing issues?

Uli Schlachter psychon at znc.in
Thu Dec 17 07:07:04 UTC 2020


Am 16.12.20 um 23:58 schrieb Albert Astals Cid:
> El dimecres, 16 de desembre de 2020, a les 21:08:52 CET, Uli Schlachter va escriure:
>> Am 16.12.20 um 20:29 schrieb Albert Astals Cid:
>>> We recently added fuzzing to the cairo renderer in poppler and we're getting quite some issues like
>> Do you have some links? Which inputs do which function are you fuzzing?
>> I'm curious. A quick search didn't find any relevant code.
> I'm not sure I understood what you're interested in, but basically we're fuzzying what a normal application would do with poppler, that if you're using the glib codepaths, ends up using cairo to do drawing/printing
> Some random links
> https://gitlab.freedesktop.org/poppler/poppler/-/blob/master/glib/tests/fuzzing/pdf_draw_fuzzer.cc

Ah, right. Sorry, I totally forgot what poppler is. Of course it makes
total sense to go poppler_document_new_from_data(input_from_the_fuzzer).
I guess I was thinking too much about cairo where it is a lot more
complicated to come up with fuzzing targets.

This might also explain why all three examples end up in the same code
region in cairo: This might be the most complicated part of the input
that ends up being parsed.

> Are you happy with me publicly posting these crashes? Or prefer if i check the "This issue is confidential and should only be visible to team members with at least Reporter access." box in the gitlab issues?

Me personally? I'm okay with you posting these publicly, but that does
not mean much. Given the current state of things in cairo, the more eyes
can see it, the more people can fix it.

Since these are the first crashes that were found, "interested people"
could just run the fuzzers themselves and find the same crashes. It
doesn't require much CPU time or anything. Sure, it lowers the bar if
people already get crashing inputs, but it still requires someone with a
lot knowledge to turn these into weaponized exploits.

Even then, after a fix is in git, interested people could still "do
something" with that. I bet there are enough ancient cairo versions out
there that are still in use. And even then, cairo is slow at making
releases these days....

So, yes, I am okay with you posting these publicly, but for the wrong
reasons. ;-)

If you want, you can also mark the issues as confidential.

>> Related: Could you take a look at
>> https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/69? Google
>> has an intern who wrote some fuzzing targets for cairo. Perhaps they
>> have a similar approach or your and their effort could be integrated?
> Yes, it's the same thing and not the same thing :D

Thanks. And sorry again for not thinking about "what does poppler do
again?" :-)

Bruce Schneier can read and understand Perl programs.

More information about the cairo mailing list