Skip to content

Commit

Permalink
Merge pull request #6846 from radarhere/font_crash
Browse files Browse the repository at this point in the history
Fixed null pointer dereference crash with malformed font
  • Loading branch information
radarhere authored Dec 31, 2022
2 parents 7f17084 + c977526 commit c4cc487
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 1 deletion.
10 changes: 10 additions & 0 deletions Tests/fonts/fuzz_font-5203009437302784
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
STARTFONT
FONT �
SIZE 10
FONTBOUNDINGBOX
CHARS
STARTCHAR
ENCODING
BBX 2 5
ENDCHAR
ENDFONT
2 changes: 1 addition & 1 deletion Tests/oss-fuzz/test_fuzzers.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,6 @@ def test_fuzz_fonts(path):
with open(path, "rb") as f:
try:
fuzzers.fuzz_font(f.read())
except (Image.DecompressionBombError, Image.DecompressionBombWarning):
except (Image.DecompressionBombError, Image.DecompressionBombWarning, OSError):
pass
assert True
22 changes: 22 additions & 0 deletions Tests/test_font_crash.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
import pytest

from PIL import Image, ImageDraw, ImageFont

from .helper import skip_unless_feature


class TestFontCrash:
def _fuzz_font(self, font):
# from fuzzers.fuzz_font
font.getbbox("ABC")
font.getmask("test text")
with Image.new(mode="RGBA", size=(200, 200)) as im:
draw = ImageDraw.Draw(im)
draw.multiline_textbbox((10, 10), "ABC\nAaaa", font, stroke_width=2)
draw.text((10, 10), "Test Text", font=font, fill="#000")

@skip_unless_feature("freetype2")
def test_segfault(self):
with pytest.raises(OSError):
font = ImageFont.truetype("Tests/fonts/fuzz_font-5203009437302784")
self._fuzz_font(font)
6 changes: 6 additions & 0 deletions src/_imagingft.c
Original file line number Diff line number Diff line change
Expand Up @@ -921,6 +921,12 @@ font_render(FontObject *self, PyObject *args) {
yy = -(py + glyph_slot->bitmap_top);
}

// Null buffer, is dereferenced in FT_Bitmap_Convert
if (!bitmap.buffer && bitmap.rows) {
PyErr_SetString(PyExc_OSError, "Bitmap missing for glyph");
goto glyph_error;
}

/* convert non-8bpp bitmaps */
switch (bitmap.pixel_mode) {
case FT_PIXEL_MODE_MONO:
Expand Down

0 comments on commit c4cc487

Please sign in to comment.