[Fontconfig] Buffer overflow in FC
Behdad Esfahbod
behdad at behdad.org
Fri Dec 12 21:43:47 PST 2014
On 14-12-11 09:06 AM, Tanel Liiv wrote:
> Hello,
>
> I found a crashing bug in fontconfig(in "cooperation" with freetype).
> The bug was found by fuzzying with American Fuzzy Lop.
>
> The bug is in fcfreetype.c:1394. That line contains "strcpy(psname,
> tmp);". That partical line is reached only if a preceeding
> "tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it
> does using our corrupted font.
>
> psname is a statically defined 256byte array. But "tmp" can contain a
> seemingly arbitrary length string(at least with my corrupted font), so
> strcpy will overwrite the stack frame contents.
>
> It does not seem to be immediately exploitable as remote code execution
> - but someone smarter may find a way.
>
> Even if it is not directly exploitable, it can be used for DOS attacks.
> For example my Linux Mint 17 was unable to load the desktop environment
> with this font installed.
>
> Corrupt font:
> http://xm.liiv.me/fontconfig_crasher.ttf
Thanks for the report. I couldn't download the font.
Fix pushed out:
http://cgit.freedesktop.org/fontconfig/commit/?id=fc7e1a9497919c88d790d9395eb01cd7d5121507
Thanks!
behdad
> Testcase:
> fc-scan fontconfig_crasher.ttf
>
> Regards,
>
--
behdad
http://behdad.org/
More information about the Fontconfig
mailing list