[Fontconfig] Buffer overflow in FC

Tanel Liiv tanel at liiv.me
Thu Dec 11 09:06:05 PST 2014


I found a crashing bug in fontconfig(in "cooperation" with freetype).
The bug was found by fuzzying with American Fuzzy Lop.

The bug is in fcfreetype.c:1394. That line contains "strcpy(psname,
tmp);". That partical line is reached only if a preceeding
"tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it
does using our corrupted font.

psname is a statically defined 256byte array. But "tmp" can contain a
seemingly arbitrary length string(at least with my corrupted font), so
strcpy will overwrite the stack frame contents.

It does not seem to be immediately exploitable as remote code execution
- but someone smarter may find a way.

Even if it is not directly exploitable, it can be used for DOS attacks.
For example my Linux Mint 17 was unable to load the desktop environment
with this font installed.

Corrupt font: 

fc-scan fontconfig_crasher.ttf


  Tanel Liiv
  tanel at liiv.me

More information about the Fontconfig mailing list