Invalid free called during libfreetype FT_Done_Glyph
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freetype (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned |
Bug Description
A fuzzed font file triggers an invalid free operation. Current upstream 2.13 was not observed crashing with input.
==1793660== Memcheck, a memory error detector
==1793660== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1793660== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1793660== Command: ftgrid 12 ftgrid_
==1793660==
==1793660== Argument 'size' of function malloc has a fishy (possibly negative) value: -205496320
==1793660== at 0x4848899: malloc (in /usr/libexec/
==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:412)
==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:580)
==1793660== by 0x10F09A: main (ftgrid.c:1818)
==1793660==
==1793660== Invalid free() / delete / delete¡¿ / realloc()
==1793660== at 0x484B27F: free (in /usr/libexec/
==1793660== by 0x48C2EC3: UnknownInlinedFun (ftutil.c:173)
==1793660== by 0x48C2EC3: FT_Bitmap_Done (ftbitmap.c:1169)
==1793660== by 0x48C5947: FT_Done_Glyph (ftglyph.c:650)
==1793660== by 0x10F1A0: UnknownInlinedFun (ftgrid.c:589)
==1793660== by 0x10F1A0: main (ftgrid.c:1818)
==1793660== Address 0x5292040 is 0 bytes inside a block of size 58,519,576 free'd
==1793660== at 0x484B27F: free (in /usr/libexec/
==1793660== by 0x10F18A: UnknownInlinedFun (ftgrid.c:586)
==1793660== by 0x10F18A: main (ftgrid.c:1818)
==1793660== Block was alloc'd at
==1793660== at 0x4848899: malloc (in /usr/libexec/
==1793660== by 0x48BDB08: ft_mem_qrealloc (ftutil.c:145)
==1793660== by 0x48BF04D: ft_mem_realloc (ftutil.c:101)
==1793660== by 0x491815B: ft_smooth_
==1793660== by 0x48BD24C: FT_Render_
==1793660== by 0x48C8A2F: FT_Glyph_To_Bitmap (ftglyph.c:596)
==1793660== by 0x11A67E: FTDemo_
==1793660== by 0x10DCC1: UnknownInlinedFun (ftgrid.c:575)
==1793660== by 0x10DCC1: main (ftgrid.c:1818)
==1793660==
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff408
3368 ./malloc/malloc.c: No such file or directory.
(gdb) bt
£0 0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff408
£1 0x00007ffff7ebeec4 in ft_mem_free (P=<optimized out>, memory=<optimized out>) at ./src/base/
£2 FT_Bitmap_Done (library=<optimized out>, bitmap=
£3 0x00007ffff7ec1948 in FT_Done_Glyph (glyph=
£4 0x000055555555b1a1 in grid_status_
at ./ft2demos/
£5 main (argc=<optimized out>, argv=<optimized out>) at ./ft2demos/
$ apt-cache policy libfreetype6
libfreetype6:
Installed: 2.11.1+
Candidate: 2.11.1+
Version table:
*** 2.11.1+
500 http://
500 http://
100 /var/lib/
2.
500 http://
Description: Ubuntu 22.04.3 LTS
Release: 22.04
information type: | Private Security → Public Security |
Hi, thanks for the time you take to report this bug.
Could you provide any ways to test it?
I did some few tests using pygame python lib and freetype that used libfreetype and so. The results i got was that the text is not showed when using the font you provided, but no crash. Sounds like a 'silently' bug at a first glance. So, yep, it affects jammy. Further investigation is need to figure out if there is any commit already for that issue, if it known one.