42 crashers

[GoogleCodeExporter]

The attached archive contains 42 unique crashers for the package. The test 
inputs were passed through the following program:
http://play.golang.org/p/qxzq2QBtYx
The headers of crashes are provided below. Each one of them is unique, i.e. 
crash with a unique panic message and/or at different stack. I physically can't 
file separate issue for each individual crash. Some of the inputs are valid 
TTFs files taken elsewhere.

panic: runtime error: invalid memory address or nil pointer dereference
panic: truetype: hinting: division by zero
panic: truetype: hinting: nested FDEF
panic: runtime error: index out of range
panic: runtime error: index out of range
panic: truetype: hinting: point out of range
panic: truetype: hinting: invalid data
panic: truetype: hinting: undefined function
panic: runtime error: index out of range
panic: truetype: hinting: unimplemented twilight point adjustment
panic: truetype: hinting: unbalanced FDEF
panic: truetype: hinting: call stack underflow
panic: runtime error: index out of range
panic: truetype: hinting: stack underflow
panic: runtime error: invalid memory address or nil pointer dereference
panic: truetype: hinting: insufficient data
panic: runtime error: index out of range
panic: truetype: hinting: unrecognized instruction
panic: freetype: unsupported TrueType feature: negative number of contours
panic: runtime error: index out of range
panic: truetype: hinting: stack overflow
panic: runtime error: index out of range
panic: truetype: hinting: unbalanced IF or ELSE
panic: runtime error: slice bounds out of range
panic: runtime error: index out of range
panic: freetype: unsupported TrueType feature: compound glyph transform vector
panic: runtime error: index out of range
panic: runtime error: slice bounds out of range
panic: truetype: hinting: too many instructions
panic: runtime error: invalid memory address or nil pointer dereference
panic: runtime error: integer divide by zero
panic: truetype: hinting: contour out of range
panic: truetype: hinting: unsupported IDEF instruction
panic: runtime error: integer divide by zero
panic: runtime error: integer divide by zero
panic: hinting: unimplemented SHC instruction
panic: runtime error: slice bounds out of range
panic: runtime error: integer divide by zero
panic: runtime error: index out of range
panic: runtime error: index out of range
panic: runtime error: index out of range
panic: runtime error: index out of range

Original issue reported on code.google.com by dvyu...@google.com on 29 Apr 2015 at 10:25

Attachments:

• ttf.tar.bz2

[pmezard]

I have not checked the tarball but reproduced similar panics in truetype package using go-fuzz. Reading the code, a lot of them probably come from not checking offsets before accessing byte arrays. They are tedious but easy to fix.

The question is: what is your contribution process for this package? go-review.googlesource.com or something else? And do you accept contributions, even partial ones (ie not fixing all the out of bound access at once)?

[nigeltao]

The contribution process is the regular github.com process, not go-review.googlesource.com, although you still need to sign the CLA a la the regular golang.org process.

Contributions accepted, although I will be slow to respond in general in the forseeable short-term future (as I have been slow to respond here), due to non-work-related reasons.

[flopp]

All crashes except "ttf.crashers/9dcbc20080df0e49e3dd90c022eba03aa575c4b6" seen to be fixed with the current version of golang/freetype.