fonttools: Uncaught exception when loading font

The following program raises an uncaught exception:

import io
import sys
import atheris

from fontTools import ttLib
from fontTools.ttLib import TTFont
import xml         

def TestOneInput(data):
  randfile = "/tmp/random2.ttx"
  with open(randfile, "wb") as f:
    f.write(data)
  try:
    otf = TTFont(randfile)
  except ttLib.TTLibError:
    pass
  except AssertionError:
    pass
  except ImportError:
    pass
  
data = (b"\x4f\x54\x54\x4f\x00\x4b\x46\x32\x74\x63\x70\x46")                    
TestOneInput(data)

Where the atheris module refers to https://pypi.org/project/atheris/

The program is a derivative of the fuzzer here https://github.com/google/oss-fuzz/blob/master/projects/fonttools/fuzz_ttfont.py

The following program is a shortened version of above, without fuzzing-related logic:

from fontTools import ttLib
from fontTools.ttLib import TTFont

randfile = "/tmp/random2.ttx"
with open(randfile, "wb") as f:
  f.write(b"\x4f\x54\x54\x4f\x00\x4b\x46\x32\x74\x63\x70\x46")
try:
  otf = TTFont(randfile)
except ttLib.TTLibError:
  pass
except AssertionError:
  pass
except ImportError:
  pass

This produces the stack trace:

# python3 ./reproducer.py 
Traceback (most recent call last):
  File "./reproducer.py", line 24, in <module>
    otf = TTFont(randfile)
  File "/usr/local/lib/python3.8/site-packages/fontTools/ttLib/ttFont.py", line 164, in __init__
    self.reader = SFNTReader(file, checkChecksums, fontNumber=fontNumber)
  File "/usr/local/lib/python3.8/site-packages/fontTools/ttLib/sfnt.py", line 89, in __init__
    entry.fromFile(self.file)
  File "/usr/local/lib/python3.8/site-packages/fontTools/ttLib/sfnt.py", line 490, in fromFile
    sstruct.unpack(self.format, file.read(self.formatSize), self)
  File "/usr/local/lib/python3.8/site-packages/fontTools/misc/sstruct.py", line 88, in unpack
    elements = struct.unpack(formatstring, data)
struct.error: unpack requires a buffer of 16 bytes

This was found by way of OSS-Fuzz and the set up here: https://github.com/google/oss-fuzz/tree/master/projects/fonttools If you find this issue helpful then it would be great to have maintainer emails in the project.yaml to receive notifications of bug reports, which contain all details similar to what I posted above – namely they contain the stacktrace, crashing input and identification of the fuzzer.

About this issue

Original URL
State: open
Created a year ago
Comments: 20 (13 by maintainers)

Commits related to this issue

fonttools: add maintainers Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468613631 Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468616607 — committed to google/oss-fuzz by DavidKorczynski a year ago
fonttools: add maintainers (#9927) Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468613631 Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468616607 ... — committed to google/oss-fuzz by DavidKorczynski a year ago
fonttools: add fuzzer that tests load-save trip Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468613631 Signed-off-by: David Korczynski <david@adalogics.com> — committed to google/oss-fuzz by DavidKorczynski a year ago
fonttools: add maintainers (#9927) Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468613631 Ref: https://github.com/fonttools/fonttools/issues/3041#issuecomment-1468616607 ... — committed to eamonnmcmanus/oss-fuzz by DavidKorczynski a year ago

Most upvoted comments

The “real-world” test fonts mentioned above: comickbook.zip

The fonts appear to have an issue in the OS/2 table. ttx dump says this:

<OS_2 ERROR="decompilation error" raw="True">
  <!-- An error occurred during the decompilation of this table -->
  <!-- Traceback (most recent call last):
         File "C:\Users\Ken\AppData\Local\Programs\Python\Python310\lib\site-packages\fontTools\ttLib\ttFont.py", line 470, in _readTable
           table.decompile(data, self)
         File "C:\Users\Ken\AppData\Local\Programs\Python\Python310\lib\site-packages\fontTools\ttLib\tables\O_S_2f_2.py", line 118, in decompile
           dummy, data = sstruct.unpack2(OS2_format_1_addition, data, self)
         File "C:\Users\Ken\AppData\Local\Programs\Python\Python310\lib\site-packages\fontTools\misc\sstruct.py", line 106, in unpack2
           return unpack(fmt, data[:length], obj), data[length:]
         File "C:\Users\Ken\AppData\Local\Programs\Python\Python310\lib\site-packages\fontTools\misc\sstruct.py", line 88, in unpack
           elements = struct.unpack(formatstring, data)
       struct.error: unpack requires a buffer of 8 bytes
        -->
  <hexdata>
    00010431 01900005 0000059a 05330000
    0125059a 05330000 03a00066 02120000
    02000400 00000000 00008000 00270000
    00000000 00000000 00004745 4d000000
    0020f002 064afda8 000008bf 0258
  </hexdata>
</OS_2>

Also a traceback is available in the link above. (which appears to reference the same fonttools files as the ttx dump above)

kenmcd on Jun 15, 2023