On 14-12-11 09:06 AM, Tanel Liiv wrote: > Hello, > > I found a crashing bug in fontconfig(in "cooperation" with freetype). > The bug was found by fuzzying with American Fuzzy Lop. > > The bug is in fcfreetype.c:1394. That line contains "strcpy(psname, > tmp);". That partical line is reached only if a preceeding > "tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it > does using our corrupted font. > > psname is a statically defined 256byte array. But "tmp" can contain a > seemingly arbitrary length string(at least with my corrupted font), so > strcpy will overwrite the stack frame contents. > > It does not seem to be immediately exploitable as remote code execution > - but someone smarter may find a way. > > Even if it is not directly exploitable, it can be used for DOS attacks. > For example my Linux Mint 17 was unable to load the desktop environment > with this font installed. > > Corrupt font: > http://xm.liiv.me/fontconfig_crasher.ttf Thanks for the report. I couldn't download the font. Fix pushed out: http://cgit.freedesktop.org/fontconfig/commit/?id=fc7e1a9497919c88d790d9395eb01cd7d5121507 Thanks! behdad > Testcase: > fc-scan fontconfig_crasher.ttf > > Regards, > -- behdad http://behdad.org/ _______________________________________________ Fontconfig mailing list Fontconfig@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/fontconfig
