Font · C

How to fuzz FreeType

Font rendering library used by Linux, Android, and major browsers — long CVE history

FreeType parses untrusted TrueType, OpenType, and PostScript font files in every Linux distro and Android device. Font parsing is historically a top-three browser-exploit vector; fuzzing each new release of the table parsers continues to yield CVEs.

Common bug classes

•Heap overflows in TrueType bytecode interpreter
•Integer overflow in glyph metric arithmetic
•Out-of-bounds reads in CFF (Compact Font Format) charstrings
•Use-after-free in error-path FT_Done_Face

Recommended setup

Fuzzers

→ libFuzzer
→ AFL++

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <ft2build.h>
#include FT_FREETYPE_H
#include <stddef.h>
#include <stdint.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FT_Library lib;
  if (FT_Init_FreeType(&lib)) return 0;
  FT_Face face;
  if (FT_New_Memory_Face(lib, data, size, 0, &face) == 0) {
    FT_Set_Pixel_Sizes(face, 0, 16);
    for (FT_UInt gi = 0; gi < (FT_UInt)face->num_glyphs && gi < 256; gi++) {
      FT_Load_Glyph(face, gi, FT_LOAD_DEFAULT);
    }
    FT_Done_Face(face);
  }
  FT_Done_FreeType(lib);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2020-15999
→ CVE-2022-27404

Start fuzzing FreeType on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.