[Fontconfig] Buffer overflow in FC

Behdad Esfahbod behdad at behdad.org
Fri Dec 12 21:43:47 PST 2014

On 14-12-11 09:06 AM, Tanel Liiv wrote:
> Hello,
> I found a crashing bug in fontconfig(in "cooperation" with freetype).
> The bug was found by fuzzying with American Fuzzy Lop.
> The bug is in fcfreetype.c:1394. That line contains "strcpy(psname,
> tmp);". That partical line is reached only if a preceeding
> "tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it
> does using our corrupted font.
> psname is a statically defined 256byte array. But "tmp" can contain a
> seemingly arbitrary length string(at least with my corrupted font), so
> strcpy will overwrite the stack frame contents.
> It does not seem to be immediately exploitable as remote code execution
> - but someone smarter may find a way.
> Even if it is not directly exploitable, it can be used for DOS attacks.
> For example my Linux Mint 17 was unable to load the desktop environment
> with this font installed.
> Corrupt font: 
> http://xm.liiv.me/fontconfig_crasher.ttf

Thanks for the report.  I couldn't download the font.

Fix pushed out:




> Testcase:
> fc-scan fontconfig_crasher.ttf
> Regards,


More information about the Fontconfig mailing list