[cairo-bugs] [Bug 107386] New: cairo: oss-fuzz integration

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jul 26 12:21:34 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=107386

            Bug ID: 107386
           Summary: cairo: oss-fuzz integration
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: Linux (All)
            Status: NEW
          Severity: minor
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: pdknsk at gmail.com
        QA Contact: cairo-bugs at cairographics.org

I'm interested if you're interested in having cairo integrated into oss-fuzz.

https://github.com/google/oss-fuzz

You only have to give an email address to be notified at when new bugs are
found, and also a basic commitment in principal to be interested in those bugs.

Since fuzzing cairo directly doesn't really work, I want to go the reverse
route by having the fuzzer generate CairoScript, which is then interpreted and
rendered. A minor problem with that approach is that bugs in cairo-script have
to be fixed first before it can really get to finding bugs in cairo itself. I
already found quite a few of the former in a brief run.

A sample.

==1466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d001b303f0
at pc 0x0000005a56f7 bp 0x7ffd1ddb5030 sp 0x7ffd1ddb5028
READ of size 4 at 0x62d001b303f0 thread T0
    #0 0x5a56f6 in csi_object_reference
cairo/util/cairo-script/cairo-script-objects.c:650:9
    #1 0x5c16b0 in _csi_push_ostack_copy
cairo/util/cairo-script/./cairo-script-private.h:946:48
    #2 0x5afd8f in _index
cairo/util/cairo-script/cairo-script-operators.c:3445:12
    #3 0x5a5c88 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:633:9
    #4 0x5cffa2 in token_end
cairo/util/cairo-script/cairo-script-scanner.c:507:11
    #5 0x5ce416 in _scan_file
cairo/util/cairo-script/cairo-script-scanner.c:1062:6
    #6 0x5ccf86 in _csi_scan_file
cairo/util/cairo-script/cairo-script-scanner.c:1408:5
    #7 0x5a5d24 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:638:9
    #8 0x59eb28 in cairo_script_interpreter_feed_string
cairo/util/cairo-script/cairo-script-interpreter.c:620:19

==25526==ERROR: AddressSanitizer: stack-overflow on address 0x7fffc8f48ff8 (pc
0x000000427525 bp 0x7fffc8f49850 sp 0x7fffc8f49000 T0)
    #0 0x427524 in __asan_memcpy
llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x4d7520 in _cairo_path_buf_add_points
cairo/src/cairo-path-fixed.c:803:5
    #2 0x4d0fc6 in _cairo_path_fixed_add cairo/src/cairo-path-fixed.c:748:5
    #3 0x4d01bb in _cairo_path_fixed_line_to
cairo/src/cairo-path-fixed.c:551:12
    #4 0x4774e0 in _cairo_default_context_rel_line_to
cairo/src/cairo-default-context.c:815:12
    #5 0x596f41 in INT_cairo_rel_line_to cairo/src/cairo.c:2003:14
    #6 0x5b0672 in _rel_line_to
cairo/util/cairo-script/cairo-script-operators.c:4288:5
    #7 0x5a5c88 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:633:9
    #8 0x5a59b2 in _csi_array_execute
cairo/util/cairo-script/cairo-script-objects.c:149:12
    #9 0x5af7aa in _ifelse cairo/util/cairo-script/cairo-script-operators.c
    #10 0x5a5c88 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:633:9
    #11 0x5a59b2 in _csi_array_execute
cairo/util/cairo-script/cairo-script-objects.c:149:12

==24929==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x4284a3 in malloc
llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5d35ce in _csi_stack_init
cairo/util/cairo-script/cairo-script-stack.c:50:22
    #2 0x5a4e30 in csi_array_new
cairo/util/cairo-script/cairo-script-objects.c:59:11
    #3 0x5cfd79 in token_end
cairo/util/cairo-script/cairo-script-scanner.c:447:15
    #4 0x5cdb07 in _scan_file cairo/util/cairo-script/cairo-script-scanner.c
    #5 0x5ccf86 in _csi_scan_file
cairo/util/cairo-script/cairo-script-scanner.c:1408:5
    #6 0x5a5d24 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:638:9
    #7 0x59eb28 in cairo_script_interpreter_feed_string
cairo/util/cairo-script/cairo-script-interpreter.c:620:19

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20180726/b73efd3c/attachment.html>

More information about the cairo-bugs mailing list