Nice, Thanks for the fix. Also the link should work again: http://xm.liiv.me/fontconfig_crasher.ttf -- Tanel Liiv tanel@xxxxxxx On Fri, Dec 12, 2014, at 09:43 PM, Behdad Esfahbod wrote: > On 14-12-11 09:06 AM, Tanel Liiv wrote: > > Hello, > > > > I found a crashing bug in fontconfig(in "cooperation" with freetype). > > The bug was found by fuzzying with American Fuzzy Lop. > > > > The bug is in fcfreetype.c:1394. That line contains "strcpy(psname, > > tmp);". That partical line is reached only if a preceeding > > "tmp = FT_Get_Postscript_Name (face);" returns a value(string), which it > > does using our corrupted font. > > > > psname is a statically defined 256byte array. But "tmp" can contain a > > seemingly arbitrary length string(at least with my corrupted font), so > > strcpy will overwrite the stack frame contents. > > > > It does not seem to be immediately exploitable as remote code execution > > - but someone smarter may find a way. > > > > Even if it is not directly exploitable, it can be used for DOS attacks. > > For example my Linux Mint 17 was unable to load the desktop environment > > with this font installed. > > > > Corrupt font: > > http://xm.liiv.me/fontconfig_crasher.ttf > > Thanks for the report. I couldn't download the font. > > Fix pushed out: > > > http://cgit.freedesktop.org/fontconfig/commit/?id=fc7e1a9497919c88d790d9395eb01cd7d5121507 > > Thanks! > > behdad > > > Testcase: > > fc-scan fontconfig_crasher.ttf > > > > Regards, > > > > -- > behdad > http://behdad.org/ _______________________________________________ Fontconfig mailing list Fontconfig@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/fontconfig
