<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Cairo-1.15.4 Denial-of-Service Attack due to Logical Problem in Program"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=100763">100763</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Cairo-1.15.4 Denial-of-Service Attack due to Logical Problem in Program
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>freetype font backend
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>david@freetype.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>pengjiaqi@iie.ac.cn
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=130989" name="attach_130989" title="detailed analysis report, a poc file, proposed patch">attachment 130989</a> <a href="attachment.cgi?id=130989&action=edit" title="detailed analysis report, a poc file, proposed patch">[details]</a></span>
detailed analysis report, a poc file, proposed patch

## Overview
I and my colleague have found a vulnerability of Cairo-1.15.4 when fuzzing
HarfBuzz with AFL. HarBuzz is an OpenType text shaping engine and it contains a
tool named hb-view which utilizes Cairo to give a graphical view of text using
a font provided by user. This vulnerability is due to logical problem in
program, and can cause a Denial-of-Service attack with a crafted font file. 

The attachment is a zip file which includes my detail analysis report and a PoC
file. In order to avoid disclosing it before patch is released, I have
encrypted it. The developers can communicate with me to get the password.


## Author
name: Jiaqi Peng, Bingchang Liu @VARAS of IIE
email: <a href="mailto:pjqruc@gmail.com">pjqruc@gmail.com</a></pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>