Hello, I found a crashing bug in fontconfig(in "cooperation" with freetype). The bug was found by fuzzying with American Fuzzy Lop. The bug is in fcfreetype.c:1394. That line contains "strcpy(psname, tmp);". That partical line is reached only if a preceeding "tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it does using our corrupted font. psname is a statically defined 256byte array. But "tmp" can contain a seemingly arbitrary length string(at least with my corrupted font), so strcpy will overwrite the stack frame contents. It does not seem to be immediately exploitable as remote code execution - but someone smarter may find a way. Even if it is not directly exploitable, it can be used for DOS attacks. For example my Linux Mint 17 was unable to load the desktop environment with this font installed. Corrupt font: http://xm.liiv.me/fontconfig_crasher.ttf Testcase: fc-scan fontconfig_crasher.ttf Regards, -- Tanel Liiv tanel@xxxxxxx _______________________________________________ Fontconfig mailing list Fontconfig@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/fontconfig
