[Pkg-fonts-bugs] Bug#605537: fontforge: buffer overflow when opening .BDF files
Ulrik Persson
ddefrostt at gmail.com
Tue Nov 30 23:17:39 UTC 2010
Subject: fontforge: buffer overflow when opening .BDF files
Package: fontforge
Version: 0.0.20100501-2
Severity: important
Tags: security
Hello,
I have found a buffer overflow in fontforge when opening .BDF files. It is
a stack-based buffer overflow with full control over EIP, and it occurs
when parsing too long "CHARSET_REGISTRY" lines.
To reproduce, start fontforge with the attached example file as a parameter,
or start fontforge and then open the same file in the graphical interface.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fontforge depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfontforge1 0.0.20100501-2 font editor - runtime library
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libgdraw4 0.0.20100501-2 font editor - runtime graphics and
ii libgif4 4.1.6-9 library for GIF images (library)
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libice6 2:1.0.6-2 X11 Inter-Client Exchange library
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libpython2.6 2.6.6-6 Shared Python runtime library (ver
ii libsm6 2:1.1.1-1 X11 Session Management library
ii libspiro0 20071029-2 a library for curve design
ii libtiff4 3.9.4-5 Tag Image File Format (TIFF) libra
ii libuninameslist0 0.0.20091231-1 a library of Unicode annotation da
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxft2 2.1.14-2 FreeType-based font drawing librar
ii libxml2 2.7.8.dfsg-1 GNOME XML library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
fontforge recommends no packages.
Versions of packages fontforge suggests:
pn autotrace <none> (no description available)
pn fontforge-doc <none> (no description available)
pn fontforge-extras <none> (no description available)
pn potrace <none> (no description available)
pn python-fontforge <none> (no description available)
-- no debconf information
--
Ulrik | Underground Stockholm | http://underground-stockholm.com/
-------------- next part --------------
STARTFONT 2.1
FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1
SIZE 16 75 75
CHARSET_REGISTRY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FONTBOUNDINGBOX 16 16 0 -2
STARTPROPERTIES 2
FONT_ASCENT 14
FONT_DESCENT 2
ENDPROPERTIES
CHARS 1
STARTCHAR U+0041
ENCODING 65
SWIDTH 500 0
DWIDTH 8 0
BBX 8 16 0 -2
BITMAP
00
00
00
00
18
24
24
42
42
7E
42
42
42
42
00
00
ENDCHAR
ENDFONT
More information about the Pkg-fonts-bugs
mailing list