Bug 7535

Summary: Freetype2 pcf font problem also affects libXfont
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: Fonts/otherAssignee: Matthieu Herrb <matthieu.herrb>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high    
Version: git   
Hardware: x86 (IA32)   
OS: OpenBSD   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Bad font that triggers the bug
none
proposed patch none

Description Matthieu Herrb 2006-07-15 11:11:40 UTC 
From Marcus Meissner:

Not sure if you got this report already.

Matthew Barnes of Redhat reported a freetype2 crash, which Werner
Lemberg of freetype2 also thought affects X own PCF reader.

I confirmed this, my X.Org server crashes as soon as I (as
the logged in X user) do:
	xset +fp ~/badfont/
	xfontsel
with a SIGSEGV in strlen().

It is unclear if this problem can be exploited to execute code (it
crashes in a strlen() for me), but a crashing X server is not good either.

Werner Lemberg of freetype2 also writes:
"BTW, I've looked into the code of XFree86 4.3.0 (this is what I've
unpacked at home), and I see that there's virtually no protection against
malformed PCF -- our PCF developer originally took most of the code from
 xc/lib/font/bitmap/pcfread.c"

Confirmed here.
Comment 1 Matthieu Herrb 2006-07-15 11:13:20 UTC 
Created attachment 6230 [details]
Bad font that triggers the bug
Comment 2 Matthieu Herrb 2006-07-15 11:14:41 UTC 
Created attachment 6231 [details] [review]
proposed patch
Comment 3 Matthieu Herrb 2006-07-23 13:12:41 UTC 
This has been affected CVE-2006-3467
Comment 4 Matthieu Herrb 2006-07-23 13:27:10 UTC 
This is public
Comment 5 Matthieu Herrb 2006-07-23 13:42:26 UTC 
Perhaps not all the information is public
Comment 6 Matthieu Herrb 2006-07-23 13:58:04 UTC 
Yes it is public
Comment 7 Matthieu Herrb 2006-07-23 14:03:22 UTC 
Patch commited

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.