[cairo] Anyone interested in fuzzing issues?

Albert Astals Cid aacid at kde.org
Thu Dec 17 23:51:46 UTC 2020 

El dijous, 17 de desembre de 2020, a les 8:07:04 CET, Uli Schlachter va escriure:
> Hi,
> 
> Am 16.12.20 um 23:58 schrieb Albert Astals Cid:
> > El dimecres, 16 de desembre de 2020, a les 21:08:52 CET, Uli Schlachter va escriure:
> >> Am 16.12.20 um 20:29 schrieb Albert Astals Cid:
> >>> We recently added fuzzing to the cairo renderer in poppler and we're getting quite some issues like
> >>
> >> Do you have some links? Which inputs do which function are you fuzzing?
> >> I'm curious. A quick search didn't find any relevant code.
> > 
> > I'm not sure I understood what you're interested in, but basically we're fuzzying what a normal application would do with poppler, that if you're using the glib codepaths, ends up using cairo to do drawing/printing
> > 
> > Some random links
> > https://gitlab.freedesktop.org/poppler/poppler/-/blob/master/glib/tests/fuzzing/pdf_draw_fuzzer.cc
> 
> Ah, right. Sorry, I totally forgot what poppler is. Of course it makes
> total sense to go poppler_document_new_from_data(input_from_the_fuzzer).
> I guess I was thinking too much about cairo where it is a lot more
> complicated to come up with fuzzing targets.
> 
> This might also explain why all three examples end up in the same code
> region in cairo: This might be the most complicated part of the input
> that ends up being parsed.
> 
> [...]
> > Are you happy with me publicly posting these crashes? Or prefer if i check the "This issue is confidential and should only be visible to team members with at least Reporter access." box in the gitlab issues?
> 
> Me personally? I'm okay with you posting these publicly, but that does
> not mean much. Given the current state of things in cairo, the more eyes
> can see it, the more people can fix it.
> 
> Since these are the first crashes that were found, "interested people"
> could just run the fuzzers themselves and find the same crashes. It
> doesn't require much CPU time or anything. Sure, it lowers the bar if
> people already get crashing inputs, but it still requires someone with a
> lot knowledge to turn these into weaponized exploits.
> 
> Even then, after a fix is in git, interested people could still "do
> something" with that. I bet there are enough ancient cairo versions out
> there that are still in use. And even then, cairo is slow at making
> releases these days....
> 
> So, yes, I am okay with you posting these publicly, but for the wrong
> reasons. ;-)

Ok, posted one at https://gitlab.freedesktop.org/cairo/cairo/-/issues/444

The others have relatively similar traces, so I think if this gets fixed I can add the rest :)

Cheers,
  Albert

> 
> If you want, you can also mark the issues as confidential.
> 
> [...]
> >> Related: Could you take a look at
> >> https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/69? Google
> >> has an intern who wrote some fuzzing targets for cairo. Perhaps they
> >> have a similar approach or your and their effort could be integrated?
> > 
> > Yes, it's the same thing and not the same thing :D
> 
> Thanks. And sorry again for not thinking about "what does poppler do
> again?" :-)
> 
> Cheers,
> Uli
>

More information about the cairo mailing list