Buffer overflow in FC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I found a crashing bug in fontconfig(in "cooperation" with freetype).
The bug was found by fuzzying with American Fuzzy Lop.

The bug is in fcfreetype.c:1394. That line contains "strcpy(psname,
tmp);". That partical line is reached only if a preceeding
"tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it
does using our corrupted font.

psname is a statically defined 256byte array. But "tmp" can contain a
seemingly arbitrary length string(at least with my corrupted font), so
strcpy will overwrite the stack frame contents.

It does not seem to be immediately exploitable as remote code execution
- but someone smarter may find a way.

Even if it is not directly exploitable, it can be used for DOS attacks.
For example my Linux Mint 17 was unable to load the desktop environment
with this font installed.

Corrupt font: 
http://xm.liiv.me/fontconfig_crasher.ttf

Testcase:
fc-scan fontconfig_crasher.ttf

Regards,

-- 
  Tanel Liiv
  tanel@xxxxxxx
_______________________________________________
Fontconfig mailing list
Fontconfig@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/fontconfig





[Index of Archives]     [Fedora Fonts]     [Fedora Users]     [Fedora Cloud]     [Kernel]     [Fedora Packaging]     [Fedora Desktop]     [PAM]     [Gimp Graphics Editor]     [Yosemite News]

  Powered by Linux