SEGV in cairo_cff_font_subset_dict_string & SEGV in cairo_type1_font_subset_for_each_glyph
iasunsea at sina.com
iasunsea at sina.com
Sun Jun 25 15:23:55 UTC 2023
when we do poppler fusiontest-testcase-annot_fuzzer-202110250005 and fusiontest-testcase-pdf_draw_fuzzer-202110250011,we find cairo have SEGV on unknown address, and we put bugfix-fix-read-memory-access.patch==445452==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000012d1cdb bp 0x7ffcff8d3f20 sp 0x7ffcff8d3da0 T0)==445452==The signal is caused by a READ memory access.==445452==Hint: address points to the zero page.#0 0x12d1cdb in cairo_cff_font_subset_dict_string /src/cairo/_builddir/../src/cairo-cff-subset.c:1418:70#1 0x12d1a94 in cairo_cff_font_subset_dict_strings /src/cairo/_builddir/../src/cairo-cff-subset.c:1450:18#2 0x12ce35f in cairo_cff_font_subset_strings /src/cairo/_builddir/../src/cairo-cff-subset.c:1928:14#3 0x12c8813 in cairo_cff_font_subset_font /src/cairo/_builddir/../src/cairo-cff-subset.c:2004:14#4 0x12c388e in cairo_cff_font_generate /src/cairo/_builddir/../src/cairo-cff-subset.c:2600:14#5 0x12c277a in _cairo_cff_subset_init /src/cairo/_builddir/../src/cairo-cff-subset.c:2977:14#6 0x11f790c in _cairo_pdf_surface_emit_cff_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:5939:14#7 0x11f7152 in _cairo_pdf_surface_emit_unscaled_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6654:14#8 0x12dca14 in _cairo_sub_font_collect /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30#9 0x12d965a in _cairo_scaled_font_subsets_foreach_internal /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6#10 0x12d9972 in _cairo_scaled_font_subsets_foreach_unscaled /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12#11 0x11dffd0 in _cairo_pdf_surface_emit_font_subsets /src/cairo/_builddir/../src/cairo-pdf-surface.c:6704:14#12 0x11da795 in _cairo_pdf_surface_finish /src/cairo/_builddir/../src/cairo-pdf-surface.c:2486:11#13 0x11a8498 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11#14 0x11a76e9 in cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1079:5#15 0x126d062 in _cairo_paginated_surface_finish /src/cairo/_builddir/../src/cairo-paginated-surface.c:214:2#16 0x11a8498 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11#17 0x11a5175 in cairo_surface_destroy /src/cairo/_builddir/../src/cairo-surface.c:970:2#18 0x6a338d in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/annot_fuzzer.cc:73:5#19 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#20 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#21 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#22 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#23 0x7f6d3482db26 in __libc_start_main (/lib64/libc.so.6+0x25b26)#24 0x5707f9 in _start (/root/oss-fuzz/build/out/poppler/annot_fuzzer+0x5707f9)AddressSanitizer can not provide additional info.SUMMARY: AddressSanitizer: SEGV /src/cairo/_builddir/../src/cairo-cff-subset.c:1418:70 in cairo_cff_font_subset_dict_string==445452==ABORTING-----------------------------------------------------------------------------------==445378==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000012f1859 bp 0x7ffd0e09e930 sp 0x7ffd0e09e820 T0)==445378==The signal is caused by a READ memory access.==445378==Hint: address points to the zero page.#0 0x12f1859 in cairo_type1_font_subset_for_each_glyph /src/cairo/_builddir/../src/cairo-type1-subset.c:1238:40#1 0x12ef869 in cairo_type1_font_subset_write_private_dict /src/cairo/_builddir/../src/cairo-type1-subset.c:1383:14#2 0x12ed874 in cairo_type1_font_subset_write /src/cairo/_builddir/../src/cairo-type1-subset.c:1605:14#3 0x12ecd95 in cairo_type1_font_subset_generate /src/cairo/_builddir/../src/cairo-type1-subset.c:1677:14#4 0x12ec05b in _cairo_type1_subset_init /src/cairo/_builddir/../src/cairo-type1-subset.c:1749:14#5 0x11f8c7c in _cairo_pdf_surface_emit_type1_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6132:14#6 0x11f7262 in _cairo_pdf_surface_emit_unscaled_font_subset /src/cairo/_builddir/../src/cairo-pdf-surface.c:6662:14#7 0x12dcae4 in _cairo_sub_font_collect /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:742:30#8 0x12d972a in _cairo_scaled_font_subsets_foreach_internal /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1064:6#9 0x12d9a42 in _cairo_scaled_font_subsets_foreach_unscaled /src/cairo/_builddir/../src/cairo-scaled-font-subsets.c:1092:12#10 0x11e00a0 in _cairo_pdf_surface_emit_font_subsets /src/cairo/_builddir/../src/cairo-pdf-surface.c:6704:14#11 0x11da865 in _cairo_pdf_surface_finish /src/cairo/_builddir/../src/cairo-pdf-surface.c:2486:11#12 0x11a8568 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11#13 0x11a77b9 in cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1079:5#14 0x126d132 in _cairo_paginated_surface_finish /src/cairo/_builddir/../src/cairo-paginated-surface.c:214:2#15 0x11a8568 in _cairo_surface_finish /src/cairo/_builddir/../src/cairo-surface.c:1030:11#16 0x11a5245 in cairo_surface_destroy /src/cairo/_builddir/../src/cairo-surface.c:970:2#17 0x6a3436 in LLVMFuzzerTestOneInput /src/poppler/glib/tests/fuzzing/pdf_draw_fuzzer.cc:70:5#18 0x5a91d3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15#19 0x594942 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6#20 0x59a5e6 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9#21 0x5c3af2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10#22 0x7fa61d4ceb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)#23 0x5707f9 in _start (/root/oss-fuzz/build/out/poppler/pdf_draw_fuzzer+0x5707f9)AddressSanitizer can not provide additional info.SUMMARY: AddressSanitizer: SEGV /src/cairo/_builddir/../src/cairo-type1-subset.c:1238:40 in cairo_type1_font_subset_for_each_glyph==445378==ABORTING
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/9f0eb609/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fusiontest-testcase-pdf_draw_fuzzer-202110250011
Type: application/octet-stream
Size: 97513 bytes
Desc: not available
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/9f0eb609/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fusiontest-testcase-annot_fuzzer-202110250005
Type: application/octet-stream
Size: 1025 bytes
Desc: not available
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/9f0eb609/attachment-0003.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bugfix-fix-read-memory-access.patch
URL: <https://lists.cairographics.org/archives/cairo/attachments/20230625/9f0eb609/attachment-0001.ksh>
More information about the cairo
mailing list