Package: t1utils Version: 1.39-2The eexec_line() fuctions runs strstr(3) on a string that is not always null-terminated, which makes it read past the allocated buffer.
To reproduce, rebuild the package with DEB_BUILD_OPTIONS='sanitize=+address nostrip', and run:
$ t1disasm bad.pfb
t1disasm: bad.pfb corrupted: block short by 808464427 bytes at position 6
t1disasm: bad.pfb corrupted: no end-of-file marker
=================================================================
==5796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a03b80
at pc 0xf716d6d9 bp 0xffa13e58 sp 0xffa13a30
READ of size 1025 at 0xf4a03b80 thread T0
#0 0xf716d6d8 (/usr/lib/i386-linux-gnu/libasan.so.3+0x3a6d8)
#1 0xf716daf8 in __interceptor_strstr
(/usr/lib/i386-linux-gnu/libasan.so.3+0x3aaf8)
#2 0x56618662 in set_lenIV t1asmhelp.h:13
#3 0x56618662 in eexec_line t1disasm.c:421
#4 0x56619f25 in disasm_output_ascii t1disasm.c:452
#5 0x5661a38d in disasm_output_end t1disasm.c:570
#6 0x56616f9c in process_pfb t1lib.c:318
#7 0x56609bbd in main t1disasm.c:733
#8 0xf6f94275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
#9 0x56609da5 (/usr/bin/t1disasm+0x2da5)
0xf4a03b80 is located 0 bytes to the right of 1024-byte region
[0xf4a03780,0xf4a03b80)
allocated by thread T0 here:
#0 0xf71f11f4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xbe1f4)
#1 0x5661803a in append_save t1disasm.c:291
#2 0x5661758e in process_pfb t1lib.c:297
#3 0x56609bbd in main t1disasm.c:733
#4 0xf6f94275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
--
Jakub Wilk
bad.pfb
Description: application/font
