Bug 107386

Summary: cairo: oss-fuzz integration
Product: cairo Reporter: pdknsk <pdknsk>
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED MOVED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: minor    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description pdknsk 2018-07-26 12:21:34 UTC 
I'm interested if you're interested in having cairo integrated into oss-fuzz.

https://github.com/google/oss-fuzz

You only have to give an email address to be notified at when new bugs are found, and also a basic commitment in principal to be interested in those bugs.

Since fuzzing cairo directly doesn't really work, I want to go the reverse route by having the fuzzer generate CairoScript, which is then interpreted and rendered. A minor problem with that approach is that bugs in cairo-script have to be fixed first before it can really get to finding bugs in cairo itself. I already found quite a few of the former in a brief run.

A sample.

==1466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d001b303f0 at pc 0x0000005a56f7 bp 0x7ffd1ddb5030 sp 0x7ffd1ddb5028
READ of size 4 at 0x62d001b303f0 thread T0
    #0 0x5a56f6 in csi_object_reference cairo/util/cairo-script/cairo-script-objects.c:650:9
    #1 0x5c16b0 in _csi_push_ostack_copy cairo/util/cairo-script/./cairo-script-private.h:946:48
    #2 0x5afd8f in _index cairo/util/cairo-script/cairo-script-operators.c:3445:12
    #3 0x5a5c88 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:633:9
    #4 0x5cffa2 in token_end cairo/util/cairo-script/cairo-script-scanner.c:507:11
    #5 0x5ce416 in _scan_file cairo/util/cairo-script/cairo-script-scanner.c:1062:6
    #6 0x5ccf86 in _csi_scan_file cairo/util/cairo-script/cairo-script-scanner.c:1408:5
    #7 0x5a5d24 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:638:9
    #8 0x59eb28 in cairo_script_interpreter_feed_string cairo/util/cairo-script/cairo-script-interpreter.c:620:19

==25526==ERROR: AddressSanitizer: stack-overflow on address 0x7fffc8f48ff8 (pc 0x000000427525 bp 0x7fffc8f49850 sp 0x7fffc8f49000 T0)
    #0 0x427524 in __asan_memcpy llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x4d7520 in _cairo_path_buf_add_points cairo/src/cairo-path-fixed.c:803:5
    #2 0x4d0fc6 in _cairo_path_fixed_add cairo/src/cairo-path-fixed.c:748:5
    #3 0x4d01bb in _cairo_path_fixed_line_to cairo/src/cairo-path-fixed.c:551:12
    #4 0x4774e0 in _cairo_default_context_rel_line_to cairo/src/cairo-default-context.c:815:12
    #5 0x596f41 in INT_cairo_rel_line_to cairo/src/cairo.c:2003:14
    #6 0x5b0672 in _rel_line_to cairo/util/cairo-script/cairo-script-operators.c:4288:5
    #7 0x5a5c88 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:633:9
    #8 0x5a59b2 in _csi_array_execute cairo/util/cairo-script/cairo-script-objects.c:149:12
    #9 0x5af7aa in _ifelse cairo/util/cairo-script/cairo-script-operators.c
    #10 0x5a5c88 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:633:9
    #11 0x5a59b2 in _csi_array_execute cairo/util/cairo-script/cairo-script-objects.c:149:12

==24929==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x4284a3 in malloc llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5d35ce in _csi_stack_init cairo/util/cairo-script/cairo-script-stack.c:50:22
    #2 0x5a4e30 in csi_array_new cairo/util/cairo-script/cairo-script-objects.c:59:11
    #3 0x5cfd79 in token_end cairo/util/cairo-script/cairo-script-scanner.c:447:15
    #4 0x5cdb07 in _scan_file cairo/util/cairo-script/cairo-script-scanner.c
    #5 0x5ccf86 in _csi_scan_file cairo/util/cairo-script/cairo-script-scanner.c:1408:5
    #6 0x5a5d24 in csi_object_execute cairo/util/cairo-script/cairo-script-objects.c:638:9
    #7 0x59eb28 in cairo_script_interpreter_feed_string cairo/util/cairo-script/cairo-script-interpreter.c:620:19
Comment 1 Uli Schlachter 2018-07-26 13:01:03 UTC 
Sure, sounds nice. I just don't think that Cairo has currently enough man power behind it to make this actually work.
Comment 2 pdknsk 2018-07-27 05:52:11 UTC 
Security bugs have a 90-day disclosure deadline, so it's more or less expected they are fixed within that time frame. Lesser bugs don't necessarily need to be fixed, but the problem is those unfixed bugs block the fuzzer from proceeding. So someone from the project probably needs to be semi-dedicated to this, and at least occasionally fix some reported bugs.

Sth. else: I noticed script surface can output to CAIRO_SCRIPT_MODE_ASCII and CAIRO_SCRIPT_MODE_BINARY, but I'm wondering where the latter is useful, in how it can be replayed? Doesn't seem to be implemented.
Comment 3 GitLab Migration User 2018-08-25 13:51:15 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/232.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.