[Fontconfig] Buffer overflow in FC
Tanel Liiv
tanel at liiv.me
Sat Dec 13 02:31:51 PST 2014
Nice,
Thanks for the fix. Also the link should work again:
http://xm.liiv.me/fontconfig_crasher.ttf
--
Tanel Liiv
tanel at liiv.me
On Fri, Dec 12, 2014, at 09:43 PM, Behdad Esfahbod wrote:
> On 14-12-11 09:06 AM, Tanel Liiv wrote:
> > Hello,
> >
> > I found a crashing bug in fontconfig(in "cooperation" with freetype).
> > The bug was found by fuzzying with American Fuzzy Lop.
> >
> > The bug is in fcfreetype.c:1394. That line contains "strcpy(psname,
> > tmp);". That partical line is reached only if a preceeding
> > "tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it
> > does using our corrupted font.
> >
> > psname is a statically defined 256byte array. But "tmp" can contain a
> > seemingly arbitrary length string(at least with my corrupted font), so
> > strcpy will overwrite the stack frame contents.
> >
> > It does not seem to be immediately exploitable as remote code execution
> > - but someone smarter may find a way.
> >
> > Even if it is not directly exploitable, it can be used for DOS attacks.
> > For example my Linux Mint 17 was unable to load the desktop environment
> > with this font installed.
> >
> > Corrupt font:
> > http://xm.liiv.me/fontconfig_crasher.ttf
>
> Thanks for the report. I couldn't download the font.
>
> Fix pushed out:
>
>
> http://cgit.freedesktop.org/fontconfig/commit/?id=fc7e1a9497919c88d790d9395eb01cd7d5121507
>
> Thanks!
>
> behdad
>
> > Testcase:
> > fc-scan fontconfig_crasher.ttf
> >
> > Regards,
> >
>
> --
> behdad
> http://behdad.org/
More information about the Fontconfig
mailing list