[cairo] Newest oss-fuzz findings: Three new "issues"
Uli Schlachter
psychon at znc.in
Sun Apr 18 13:17:10 UTC 2021
Hi everyone,
since I am the only one who gets mail notifications from oss-fuzz and I
do not really know what to do with them, here is a quick report:
oss-fuzz has three new findings. And there is an older one which is
still open.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27964&q=cairo&can=2
This one is a bit older. I concluded that this is a bug in libpng. Heiko
Lewin investigated this a bit more and apparently the bug is fixed in
libpng git.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33391
Cannot reproduce. The given input is passed to libpng through
cairo_image_surface_create_from_png() and I get an error back. However,
I guess the "out of memory" can be explained by the claimed size of the
"png":
PNG image data, 25096 x 52032, 1-bit grayscale, interlaced
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33393
Oh hey, the other targets that fuzz libpng found the same issue, too!
PNG image data, 409695 x 495933, 2-bit grayscale, non-interlaced
(I didn't investigate this more, but the fuzz target [0] already looks
like this only fuzzes libpng and there is nothing cairo specific in there).
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33394
Another duplicate from one of the other fuzz targets that basically only
fuzzes libpng:
PNG image data, 65538 x 32258, 8-bit grayscale, interlaced
I also did not give this a closer look, but since the fuzz target begins
by passing the input to cairo_image_surface_create_from_png()... yeah.
Cheers,
Uli
P.S.: See [1] for why this only really fuzzes libpng. Today I found
another fun one: raster_fuzzer.c first tests if the input is a valid png
(as they all do) and then additionally interprets the fuzzer input as a
file name and tries to read that png with
cairo_image_surface_create_from_png() in the acquire() callback. Surely
file names are untrusted data and can cause evil bugs. Especially if
they are also (semi-)valid PNG files at the same time!
[0]:
https://github.com/google/oss-fuzz/blob/master/projects/cairo/targets/surface_write_png_fuzzer.c
[1]: https://github.com/google/oss-fuzz/pull/4990#issuecomment-762299527
--
"Every once in a while, declare peace. It confuses the hell out of your
enemies"
- 79th Rule of Acquisition
More information about the cairo
mailing list