[Pkg-fonts-bugs] Bug#605537: fontforge: buffer overflow when opening .BDF files

Ulrik Persson ddefrostt at gmail.com
Tue Nov 30 23:17:39 UTC 2010


Subject: fontforge: buffer overflow when opening .BDF files
Package: fontforge
Version: 0.0.20100501-2
Severity: important
Tags: security

Hello,

I have found a buffer overflow in fontforge when opening .BDF files. It is
a stack-based buffer overflow with full control over EIP, and it occurs
when parsing too long "CHARSET_REGISTRY" lines.

To reproduce, start fontforge with the attached example file as a parameter,
or start fontforge and then open the same file in the graphical interface.

-- System Information:
Debian Release: squeeze/sid
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fontforge depends on:
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libcairo2               1.8.10-6         The Cairo 2D vector graphics libra
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libfontforge1           0.0.20100501-2   font editor - runtime library
ii  libfreetype6            2.4.2-2.1        FreeType 2 font engine, shared lib
ii  libgdraw4               0.0.20100501-2   font editor - runtime graphics and
ii  libgif4                 4.1.6-9          library for GIF images (library)
ii  libglib2.0-0            2.24.2-1         The GLib library of C routines
ii  libice6                 2:1.0.6-2        X11 Inter-Client Exchange library
ii  libjpeg62               6b1-1            The Independent JPEG Group's JPEG
ii  libpango1.0-0           1.28.3-1         Layout and rendering of internatio
ii  libpng12-0              1.2.44-1         PNG library - runtime
ii  libpython2.6            2.6.6-6          Shared Python runtime library (ver
ii  libsm6                  2:1.1.1-1        X11 Session Management library
ii  libspiro0               20071029-2       a library for curve design
ii  libtiff4                3.9.4-5          Tag Image File Format (TIFF) libra
ii  libuninameslist0        0.0.20091231-1   a library of Unicode annotation da
ii  libx11-6                2:1.3.3-4        X11 client-side library
ii  libxft2                 2.1.14-2         FreeType-based font drawing librar
ii  libxml2                 2.7.8.dfsg-1     GNOME XML library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

fontforge recommends no packages.

Versions of packages fontforge suggests:
pn  autotrace                     <none>     (no description available)
pn  fontforge-doc                 <none>     (no description available)
pn  fontforge-extras              <none>     (no description available)
pn  potrace                       <none>     (no description available)
pn  python-fontforge              <none>     (no description available)

-- no debconf information

-- 
Ulrik | Underground Stockholm | http://underground-stockholm.com/
-------------- next part --------------
STARTFONT 2.1
FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1
SIZE 16 75 75
CHARSET_REGISTRY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FONTBOUNDINGBOX 16 16 0 -2
STARTPROPERTIES 2
FONT_ASCENT 14
FONT_DESCENT 2
ENDPROPERTIES
CHARS 1
STARTCHAR U+0041
ENCODING 65
SWIDTH 500 0
DWIDTH 8 0
BBX 8 16 0 -2
BITMAP 
00
00
00
00
18
24
24
42
42
7E
42
42
42
42
00
00
ENDCHAR
ENDFONT


More information about the Pkg-fonts-bugs mailing list