7397 – buffer overflow in libXfont

Bug 7397 - buffer overflow in libXfont

Summary: buffer overflow in libXfont

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Lib/Xfont (show other bugs)
Version:	git
Hardware:	All All

Importance:	high normal
Assignee:	Matthieu Herrb
QA Contact:

URL:	http://marc.theaimsgroup.com/?l=openb...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-07-02 10:09 UTC by Matthieu Herrb
Modified:	2006-07-13 07:18 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
proposed patch (922 bytes, patch) 2006-07-02 10:10 UTC, Matthieu Herrb	no flags	Details \| Splinter Review
View All

Description Matthieu Herrb 2006-07-02 10:09:30 UTC

Thorsten glaser reported this to the OpenBSD tech mailing list:

When trying to use the Dark garden font
(http://switch.dl.sourceforge.net/sourceforge/darkgarden/darkgarden-1.1.ttf.zip)
as a server-side font, it crashes the X server because gcc's stack protector
(Propolice) detects a stack overflow. 

I've been able to confirm this bug. 

It appears to be caused by FTGetEnglishName() which doesn't correctly
nul-terminate it's output buffer when it truncates it because the input string
(here the font's copyright) is too long.

This is probably not exploitable, but I'd appreciate if someone else could have
a look. 

The issue is public on OpenBSD's mailing list.

Comment 1 Matthieu Herrb 2006-07-02 10:10:14 UTC

Created attachment 6099 [details] [review]
proposed patch

Comment 2 Adam Jackson 2006-07-13 07:18:58 UTC

Clearly correct, appplied.  Doesn't look exploitable though.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.