[Bug 2059852] Re: Invalid free called during libfreetype FT_Done_Glyph

Pjfloyd 2059852 at bugs.launchpad.net
Sat Aug 17 09:39:15 UTC 2024 

As always with Valgrind, fix the first error first.

Why are you trying to allocate -205496320 bytes?

It also looks like you have an issue with the 'free' redir causing the
crash.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to freetype in Ubuntu.
https://bugs.launchpad.net/bugs/2059852

Title:
  Invalid free called during libfreetype FT_Done_Glyph

Status in freetype package in Ubuntu:
  New
Status in freetype source package in Jammy:
  New

Bug description:
  A fuzzed font file triggers an invalid free operation. Current
  upstream 2.13 was not observed crashing with input.

  ==1793660== Memcheck, a memory error detector
  ==1793660== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
  ==1793660== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
  ==1793660== Command: ftgrid 12 ftgrid_invalid_free_shown_by_valgrind.ttf
  ==1793660==
  ==1793660== Argument 'size' of function malloc has a fishy (possibly negative) value: -205496320
  ==1793660==    at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==1793660==    by 0x10F09A: UnknownInlinedFun (ftgrid.c:412)
  ==1793660==    by 0x10F09A: UnknownInlinedFun (ftgrid.c:580)
  ==1793660==    by 0x10F09A: main (ftgrid.c:1818)
  ==1793660==
  ==1793660== Invalid free() / delete / delete¡¿ / realloc()
  ==1793660==    at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==1793660==    by 0x48C2EC3: UnknownInlinedFun (ftutil.c:173)
  ==1793660==    by 0x48C2EC3: FT_Bitmap_Done (ftbitmap.c:1169)
  ==1793660==    by 0x48C5947: FT_Done_Glyph (ftglyph.c:650)
  ==1793660==    by 0x10F1A0: UnknownInlinedFun (ftgrid.c:589)
  ==1793660==    by 0x10F1A0: main (ftgrid.c:1818)
  ==1793660==  Address 0x5292040 is 0 bytes inside a block of size 58,519,576 free'd
  ==1793660==    at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==1793660==    by 0x10F18A: UnknownInlinedFun (ftgrid.c:586)
  ==1793660==    by 0x10F18A: main (ftgrid.c:1818)
  ==1793660==  Block was alloc'd at
  ==1793660==    at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==1793660==    by 0x48BDB08: ft_mem_qrealloc (ftutil.c:145)
  ==1793660==    by 0x48BF04D: ft_mem_realloc (ftutil.c:101)
  ==1793660==    by 0x491815B: ft_smooth_render.lto_priv.0 (ftsmooth.c:475)
  ==1793660==    by 0x48BD24C: FT_Render_Glyph_Internal (ftobjs.c:4721)
  ==1793660==    by 0x48C8A2F: FT_Glyph_To_Bitmap (ftglyph.c:596)
  ==1793660==    by 0x11A67E: FTDemo_Glyph_To_Bitmap (ftcommon.c:1365)
  ==1793660==    by 0x10DCC1: UnknownInlinedFun (ftgrid.c:575)
  ==1793660==    by 0x10DCC1: main (ftgrid.c:1818)
  ==1793660==

  Program received signal SIGSEGV, Segmentation fault.
  0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at ./malloc/malloc.c:3368
  3368    ./malloc/malloc.c: No such file or directory.
  (gdb) bt
  £0  0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at ./malloc/malloc.c:3368
  £1  0x00007ffff7ebeec4 in ft_mem_free (P=<optimized out>, memory=<optimized out>) at ./src/base/ftutil.c:173
  £2  FT_Bitmap_Done (library=<optimized out>, bitmap=0x5555555a25e0) at ./src/base/ftbitmap.c:1169
  £3  0x00007ffff7ec1948 in FT_Done_Glyph (glyph=0x5555555a25b0) at ./src/base/ftglyph.c:650
  £4  0x000055555555b1a1 in grid_status_draw_outline (st=0x5555555703e0 <status>, display=<optimized out>, handle=<optimized out>)
      at ./ft2demos/src/ftgrid.c:589
  £5  main (argc=<optimized out>, argv=<optimized out>) at ./ft2demos/src/ftgrid.c:1818

  
  $ apt-cache policy libfreetype6
  libfreetype6:
    Installed: 2.11.1+dfsg-1ubuntu0.2
    Candidate: 2.11.1+dfsg-1ubuntu0.2
    Version table:
   *** 2.11.1+dfsg-1ubuntu0.2 500
          500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
          100 /var/lib/dpkg/status
       2.11.1+dfsg-1build1 500
          500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  Description:    Ubuntu 22.04.3 LTS
  Release:        22.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2059852/+subscriptions

More information about the foundations-bugs mailing list