Bug 7397

Summary: buffer overflow in libXfont
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: Lib/XfontAssignee: Matthieu Herrb <matthieu.herrb>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: alan.coopersmith
Version: git   
Hardware: All   
OS: All   
URL: http://marc.theaimsgroup.com/?l=openbsd-tech&m=115179562804468&w=2
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
proposed patch none

Description Matthieu Herrb 2006-07-02 10:09:30 UTC 
Thorsten glaser reported this to the OpenBSD tech mailing list:

When trying to use the Dark garden font
(http://switch.dl.sourceforge.net/sourceforge/darkgarden/darkgarden-1.1.ttf.zip)
as a server-side font, it crashes the X server because gcc's stack protector
(Propolice) detects a stack overflow. 

I've been able to confirm this bug. 

It appears to be caused by FTGetEnglishName() which doesn't correctly
nul-terminate it's output buffer when it truncates it because the input string
(here the font's copyright) is too long.

This is probably not exploitable, but I'd appreciate if someone else could have
a look. 

The issue is public on OpenBSD's mailing list.
Comment 1 Matthieu Herrb 2006-07-02 10:10:14 UTC 
Created attachment 6099 [details] [review]
proposed patch
Comment 2 Adam Jackson 2006-07-13 07:18:58 UTC 
Clearly correct, appplied.  Doesn't look exploitable though.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.