Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timeout when parsing malformed file #79

Closed
5225225 opened this issue Nov 18, 2021 · 1 comment
Closed

Timeout when parsing malformed file #79

5225225 opened this issue Nov 18, 2021 · 1 comment

Comments

@5225225
Copy link

5225225 commented Nov 18, 2021

Stack trace of where it gets stuck:

ALARM: working on the last Unit for 5 seconds
       and the timeout value is 5 (use -timeout=N to change)
==3206839== ERROR: libFuzzer: timeout after 5 seconds
    #0 0x555e927cf5a1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x555e92a14c18 in fuzzer::PrintStackTrace() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3fec18)
    #2 0x555e929ed11c in fuzzer::Fuzzer::AlarmCallback() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3d711c)
    #3 0x7f3aa1b1c86f  (/usr/lib/libpthread.so.0+0x1386f)
    #4 0x555e92a1d1a5 in __sanitizer_cov_trace_const_cmp1 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x4071a5)
    #5 0x555e927fa9ae in _$LT$ttf_parser..tables..glyf..CompositeGlyphIter$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::ha6babbd486b3aac4 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e49ae)
    #6 0x555e927ff3af in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e93af)
    #7 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #8 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #9 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #10 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #11 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #12 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #13 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #14 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #15 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #16 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #17 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #18 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #19 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #20 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #21 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #22 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #23 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #24 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #25 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #26 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #27 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #28 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #29 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #30 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #31 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #32 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #33 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #34 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #35 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #36 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #37 0x555e927ffcf2 in ttf_parser::tables::glyf::outline_impl::h1ab9a66a6a80293f (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e9cf2)
    #38 0x555e92803fd3 in ttf_parser::tables::glyf::Table::outline::hea1c236418b1309c (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1edfd3)
    #39 0x555e927fcbfa in ttf_parser::Face::outline_glyph::h96c1e8147a502f76 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1e6bfa)
    #40 0x555e928194d1 in rust_fuzzer_test_input (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2034d1)
    #41 0x555e929f7d68 in __rust_try libfuzzer_sys.9307de7e-cgu.0
    #42 0x555e929f77f8 in LLVMFuzzerTestOneInput (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3e17f8)
    #43 0x555e929ed411 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3d7411)
    #44 0x555e929e156a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3cb56a)
    #45 0x555e929e5362 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3cf362)
    #46 0x555e9274ab52 in main (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x134b52)
    #47 0x7f3aa1817b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #48 0x555e9274acfd in _start (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x134cfd)

SUMMARY: libFuzzer: timeout

Reproduction code (tested against ba4fc75)

fn main() {
    let data = b"\x00\x01\x00\x00\x00\x0f\x00\x10\x00PTT-W\x002h\xd7\x81x\x00\
    \x00\x00?L\xbaN\x00c\x9a\x9e\x8f\x96\xe3\xfeu\xff\x00\xb2\x00@\x03\x00\xb8\
    cvt 5:\x00\x00\x00\xb5\xf8\x01\x00\x03\x9ckEr\x92\xd7\xe6\x98M\xdc\x00\x00\
    \x03\xe0\x00\x00\x00dglyf\"\t\x15`\x00\x00\x03\xe0\x00\x00\x00dglyf\"\t\x15\
    `\x00\x00\x00 \x00\x00\x00\xfc\x97\x9fmx\x87\xc9\xc8\xfe\x00\x00\xbad\xff\
    \xff\xf1\xc8head\xc7\x17\xce[\x00\x00\x00\xfc\x00\x00\x006hhea\x03\xc6\x05\
    \xe4\x00\x00\x014\x00\x00\x00$hmtx\xc9\xfdq\xed\x00\x00\xb5\xf8\x01\x00\x03\
    \x9ckEr\x92\xd7\xe6\xdch\x00\x00\xc9d\x00\x00\x04 loca\x00M\x82\x11\x00\x00\
    \x00\x06\x00\x00\x00\xa0maxp\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 name\
    \xf4\xd6\xfe\xad\x00OTTO\x00\x02gpost5;5\xe1\x00\x00\xb0P\x00\x00\x01\xf0perp%\
    \xb0{\x04\x93D\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x01\x00\x00\xe1!yf%1\
    \x08\x95\x00\x00\x00\x00\x00\xaa\x06\x80fmtx\x02\x00\x00\x00\x00\x00\x00\x00\
    \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
    \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00a\xcc\xff\
    \xce\x03CCCCCCCCC\x00\x00\x00\x00\x00C\x00\x00\x00\x00\xb5\xf8\x01\x00\x00\x9c";

    let face = ttf_parser::Face::from_slice(data, 0).unwrap();
    let _ = face.outline_glyph(ttf_parser::GlyphId(0), &mut Builder);
}

struct Builder;

impl ttf_parser::OutlineBuilder for Builder {
    #[inline]
    fn move_to(&mut self, _: f32, _: f32) {
        panic!();
    }

    #[inline]
    fn line_to(&mut self, _: f32, _: f32) {
        panic!();
    }

    #[inline]
    fn quad_to(&mut self, _: f32, _: f32, _: f32, _: f32) {
        panic!();
    }

    #[inline]
    fn curve_to(&mut self, _: f32, _: f32, _: f32, _: f32, _: f32, _: f32) {
        panic!();
    }

    #[inline]
    fn close(&mut self) {
        panic!();
    }
}
@RazrFalcon
Copy link
Owner

Thanks. I really have to find time to invest into proper unit testing.

Ideally, we should also get rid of all recursive functions, but this also would require some time. Not to mention performance implications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RazrFalcon @5225225