freetype
freetype copied to clipboard
golang
42 crashers
The attached archive contains 42 unique crashers for the package. The test
inputs were passed through the following program:
http://play.golang.org/p/qxzq2QBtYx
The headers of crashes are provided below. Each one of them is unique, i.e.
crash with a unique panic message and/or at different stack. I physically can't
file separate issue for each individual crash. Some of the inputs are valid
TTFs files taken elsewhere.
panic: runtime error: invalid memory address or nil pointer dereference
panic: truetype: hinting: division by zero
panic: truetype: hinting: nested FDEF
panic: runtime error: index out of range
panic: runtime error: index out of range
panic: truetype: hinting: point out of range
panic: truetype: hinting: invalid data
panic: truetype: hinting: undefined function
panic: runtime error: index out of range
panic: truetype: hinting: unimplemented twilight point adjustment
panic: truetype: hinting: unbalanced FDEF
panic: truetype: hinting: call stack underflow
panic: runtime error: index out of range
panic: truetype: hinting: stack underflow
panic: runtime error: invalid memory address or nil pointer dereference
panic: truetype: hinting: insufficient data
panic: runtime error: index out of range
panic: truetype: hinting: unrecognized instruction
panic: freetype: unsupported TrueType feature: negative number of contours
panic: runtime error: index out of range
panic: truetype: hinting: stack overflow
panic: runtime error: index out of range
panic: truetype: hinting: unbalanced IF or ELSE
panic: runtime error: slice bounds out of range
panic: runtime error: index out of range
panic: freetype: unsupported TrueType feature: compound glyph transform vector
panic: runtime error: index out of range
panic: runtime error: slice bounds out of range
panic: truetype: hinting: too many instructions
panic: runtime error: invalid memory address or nil pointer dereference
panic: runtime error: integer divide by zero
panic: truetype: hinting: contour out of range
panic: truetype: hinting: unsupported IDEF instruction
panic: runtime error: integer divide by zero
panic: runtime error: integer divide by zero
panic: hinting: unimplemented SHC instruction
panic: runtime error: slice bounds out of range
panic: runtime error: integer divide by zero
panic: runtime error: index out of range
panic: runtime error: index out of range
panic: runtime error: index out of range
panic: runtime error: index out of range
Original issue reported on code.google.com by [email protected] on 29 Apr 2015 at 10:25
Attachments:
Hope Brad won't see this, otherwise he will delete this package.
Original comment by [email protected] on 29 Apr 2015 at 10:27
I haven't looked at the tarball yet, but I'm sure these are valid bugs.
Still, I'm going to hold off on fixing these until freetype-go moves to github,
and that's blocked on doing some thinking on breaking the API [0], and that's
blocked on higher priority interrupts, so it might be a while until I look at
these.
[0] https://groups.google.com/d/msg/golang-nuts/a5G9tJWexVI/Ref1VktubE0J
Original comment by [email protected] on 30 Apr 2015 at 12:08
- Changed state: Accepted
I have not checked the tarball but reproduced similar panics in truetype package using go-fuzz. Reading the code, a lot of them probably come from not checking offsets before accessing byte arrays. They are tedious but easy to fix.
The question is: what is your contribution process for this package? go-review.googlesource.com or something else? And do you accept contributions, even partial ones (ie not fixing all the out of bound access at once)?
The contribution process is the regular github.com process, not go-review.googlesource.com, although you still need to sign the CLA a la the regular golang.org process.
Contributions accepted, although I will be slow to respond in general in the forseeable short-term future (as I have been slow to respond here), due to non-work-related reasons.
All crashes except "ttf.crashers/9dcbc20080df0e49e3dd90c022eba03aa575c4b6" seen to be fixed with the current version of golang/freetype.
