[Pkg-fonts-bugs] Bug#550120: Found the problem

[Simon Tatham]

Aha. I've now managed to reproduce the problem in a debuggable
fontforge, and tracked it down.

The segfault occurs because fontforge calls a PLT entry (for
_IO_putc) with a bogus value in EBX (which should hold the GOT
address). This bogus value arises due to stack corruption in
svg_pathdump() in fontforge/svg.c. The stack corruption occurs due
to the sprintf statement on svg.c line 200, which has format string
"c%g %g %g %g %g %g" but which targets a fixed-size buffer 60 bytes
long. A float formatted using %g can easily be twelve characters
long (e.g. "-0.000123456"), so six of those with spaces in between
have no trouble overflowing the output buffer.

I attach a trivial patch to svg.c which made the problem go away for
me by simply expanding the buffer by a factor of ten.

Cheers,
Simon
-- 
Simon Tatham         "I thought I'd put my foot so far into my mouth I
<anakin at pobox.com>    wouldn't be able to sit down without standing up."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/x-diff
Size: 407 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-fonts-bugs/attachments/20091014/71ea2c48/attachment.diff>