Bug 7535 - Freetype2 pcf font problem also affects libXfont
Summary: Freetype2 pcf font problem also affects libXfont
Alias: None
Product: xorg
Classification: Unclassified
Component: Fonts/other (show other bugs)
Version: git
Hardware: x86 (IA32) OpenBSD
: high normal
Assignee: Matthieu Herrb
QA Contact:
Depends on:
Reported: 2006-07-15 11:11 UTC by Matthieu Herrb
Modified: 2006-07-23 14:03 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Bad font that triggers the bug (63.95 KB, application/octet-stream)
2006-07-15 11:13 UTC, Matthieu Herrb
no flags Details
proposed patch (4.02 KB, patch)
2006-07-15 11:14 UTC, Matthieu Herrb
no flags Details | Splinter Review

Description Matthieu Herrb 2006-07-15 11:11:40 UTC
From Marcus Meissner:

Not sure if you got this report already.

Matthew Barnes of Redhat reported a freetype2 crash, which Werner
Lemberg of freetype2 also thought affects X own PCF reader.

I confirmed this, my X.Org server crashes as soon as I (as
the logged in X user) do:
	xset +fp ~/badfont/
with a SIGSEGV in strlen().

It is unclear if this problem can be exploited to execute code (it
crashes in a strlen() for me), but a crashing X server is not good either.

Werner Lemberg of freetype2 also writes:
"BTW, I've looked into the code of XFree86 4.3.0 (this is what I've
unpacked at home), and I see that there's virtually no protection against
malformed PCF -- our PCF developer originally took most of the code from

Confirmed here.
Comment 1 Matthieu Herrb 2006-07-15 11:13:20 UTC
Created attachment 6230 [details]
Bad font that triggers the bug
Comment 2 Matthieu Herrb 2006-07-15 11:14:41 UTC
Created attachment 6231 [details] [review]
proposed patch
Comment 3 Matthieu Herrb 2006-07-23 13:12:41 UTC
This has been affected CVE-2006-3467 
Comment 4 Matthieu Herrb 2006-07-23 13:27:10 UTC
This is public
Comment 5 Matthieu Herrb 2006-07-23 13:42:26 UTC
Perhaps not all the information is public
Comment 6 Matthieu Herrb 2006-07-23 13:58:04 UTC
Yes it is public
Comment 7 Matthieu Herrb 2006-07-23 14:03:22 UTC
Patch commited

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.