Closed marcinguy closed 3 years ago
You want to look at function sfnt_get_var_ps_name
which in your file is on line 35217. And you want to look at basic blocks 1 -> 135 -> 288 -> ...
The path is feasible but unless the tool spits out that the attack is possible it means you can reach that block but likely can't trigger the bug.
On LLVM -> C: You can take on #6 :)
Sounds like a great project. Would like to dig deeper into it.
Can you elaborate with more words, maybe C equivalent of the code to see the bug.
I am new to LLVM and *.ll (LLVM IR) output seems kind of cryptic. Where can I learn more about to understand it? LL LLVM syntax (LLVM IR) ? Showing with your example would be a great help.
I run it on sample project (freetype2) and got results with
concroob
check i.eHow to interpret it?
Below is the sfnt.ll for reference.
https://github.com/marcinguy/public/blob/master/sfnt.ll