[Fontconfig] Buffer overflow in FC
Tanel Liiv
tanel at liiv.me
Thu Dec 11 09:06:05 PST 2014
Hello,
I found a crashing bug in fontconfig(in "cooperation" with freetype).
The bug was found by fuzzying with American Fuzzy Lop.
The bug is in fcfreetype.c:1394. That line contains "strcpy(psname,
tmp);". That partical line is reached only if a preceeding
"tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it
does using our corrupted font.
psname is a statically defined 256byte array. But "tmp" can contain a
seemingly arbitrary length string(at least with my corrupted font), so
strcpy will overwrite the stack frame contents.
It does not seem to be immediately exploitable as remote code execution
- but someone smarter may find a way.
Even if it is not directly exploitable, it can be used for DOS attacks.
For example my Linux Mint 17 was unable to load the desktop environment
with this font installed.
Corrupt font:
http://xm.liiv.me/fontconfig_crasher.ttf
Testcase:
fc-scan fontconfig_crasher.ttf
Regards,
--
Tanel Liiv
tanel at liiv.me
More information about the Fontconfig
mailing list