<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - cairo: oss-fuzz integration"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=107386">107386</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>cairo: oss-fuzz integration
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>minor
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>pdknsk@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>I'm interested if you're interested in having cairo integrated into oss-fuzz.

<a href="https://github.com/google/oss-fuzz">https://github.com/google/oss-fuzz</a>

You only have to give an email address to be notified at when new bugs are
found, and also a basic commitment in principal to be interested in those bugs.

Since fuzzing cairo directly doesn't really work, I want to go the reverse
route by having the fuzzer generate CairoScript, which is then interpreted and
rendered. A minor problem with that approach is that bugs in cairo-script have
to be fixed first before it can really get to finding bugs in cairo itself. I
already found quite a few of the former in a brief run.

A sample.

==1466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d001b303f0
at pc 0x0000005a56f7 bp 0x7ffd1ddb5030 sp 0x7ffd1ddb5028
READ of size 4 at 0x62d001b303f0 thread T0
    #0 0x5a56f6 in csi_object_reference
cairo/util/cairo-script/cairo-script-objects.c:650:9
    #1 0x5c16b0 in _csi_push_ostack_copy
cairo/util/cairo-script/./cairo-script-private.h:946:48
    #2 0x5afd8f in _index
cairo/util/cairo-script/cairo-script-operators.c:3445:12
    #3 0x5a5c88 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:633:9
    #4 0x5cffa2 in token_end
cairo/util/cairo-script/cairo-script-scanner.c:507:11
    #5 0x5ce416 in _scan_file
cairo/util/cairo-script/cairo-script-scanner.c:1062:6
    #6 0x5ccf86 in _csi_scan_file
cairo/util/cairo-script/cairo-script-scanner.c:1408:5
    #7 0x5a5d24 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:638:9
    #8 0x59eb28 in cairo_script_interpreter_feed_string
cairo/util/cairo-script/cairo-script-interpreter.c:620:19

==25526==ERROR: AddressSanitizer: stack-overflow on address 0x7fffc8f48ff8 (pc
0x000000427525 bp 0x7fffc8f49850 sp 0x7fffc8f49000 T0)
    #0 0x427524 in __asan_memcpy
llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x4d7520 in _cairo_path_buf_add_points
cairo/src/cairo-path-fixed.c:803:5
    #2 0x4d0fc6 in _cairo_path_fixed_add cairo/src/cairo-path-fixed.c:748:5
    #3 0x4d01bb in _cairo_path_fixed_line_to
cairo/src/cairo-path-fixed.c:551:12
    #4 0x4774e0 in _cairo_default_context_rel_line_to
cairo/src/cairo-default-context.c:815:12
    #5 0x596f41 in INT_cairo_rel_line_to cairo/src/cairo.c:2003:14
    #6 0x5b0672 in _rel_line_to
cairo/util/cairo-script/cairo-script-operators.c:4288:5
    #7 0x5a5c88 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:633:9
    #8 0x5a59b2 in _csi_array_execute
cairo/util/cairo-script/cairo-script-objects.c:149:12
    #9 0x5af7aa in _ifelse cairo/util/cairo-script/cairo-script-operators.c
    #10 0x5a5c88 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:633:9
    #11 0x5a59b2 in _csi_array_execute
cairo/util/cairo-script/cairo-script-objects.c:149:12

==24929==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x4284a3 in malloc
llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5d35ce in _csi_stack_init
cairo/util/cairo-script/cairo-script-stack.c:50:22
    #2 0x5a4e30 in csi_array_new
cairo/util/cairo-script/cairo-script-objects.c:59:11
    #3 0x5cfd79 in token_end
cairo/util/cairo-script/cairo-script-scanner.c:447:15
    #4 0x5cdb07 in _scan_file cairo/util/cairo-script/cairo-script-scanner.c
    #5 0x5ccf86 in _csi_scan_file
cairo/util/cairo-script/cairo-script-scanner.c:1408:5
    #6 0x5a5d24 in csi_object_execute
cairo/util/cairo-script/cairo-script-objects.c:638:9
    #7 0x59eb28 in cairo_script_interpreter_feed_string
cairo/util/cairo-script/cairo-script-interpreter.c:620:19</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>