Package: t1utils Version: 1.40-1 t1disasm crashes on the attached file:
$ t1disasm overflow.pfb > /dev/null
t1disasm: overflow.pfb corrupted: block short by 808463502 bytes at position
1176
Segmentation fault
GDB says it's integer overflow in line length calculation:
(gdb) bt
#0 0xf7e7a7ad in two_way_short_needle (needle_len=13, needle=<optimized out>,
haystack_len=4294967295, haystack=0xffffd5fd "/", '0' <repeats 93 times>) at
str-two-way.h:312
#1 __GI___memmem (haystack_start=0xffffd5fd, haystack_len=4294967295,
needle_start=<optimized out>, needle_len=13) at memmem.c:72
#2 0x5655af1b in eexec_line (line=0xffffd5fd "/", '0' <repeats 93 times>,
line_len=-1) at t1disasm.c:388
#3 0x5655b497 in eexec_line (line=0xffffd5d6 "2 index /CharStrings 2 dict dup begin\n
/", '0' <repeats 93 times>, line_len=38) at t1disasm.c:396
#4 0x5655bc5a in disasm_output_binary ( data=0xffffd260 "dup\n/Private 16 dict
dup begin\n/RD{string currentfile exch readstring pop}executeonly def\n/ND{noaccess
def}executeonly def\n/NP{noaccess put}executeonly def\n/MinFeature{16 16}ND\n/password
5839 def\n/Uni"..., len=926) at t1disasm.c:539
#5 0x5655a9db in process_pfb (ifp=0x565621c0, ifp_filename=0xffffd947
"overflow.pfb", fr=0xffffd6a0) at t1lib.c:297
#6 0x56555f76 in main (argc=<optimized out>, argv=<optimized out>) at
t1disasm.c:716
(gdb) up 3
#3 0x5655b497 in eexec_line (line=0xffffd5d6 "2 index /CharStrings 2 dict dup begin\n
/", '0' <repeats 93 times>, line_len=38) at t1disasm.c:396
396 return eexec_line((unsigned char *) (CharStrings + 12 + n
- 1), line_len - len);
(gdb) print line_len
$1 = 38
(gdb) print len
$2 = 39
(gdb) print line_len - len
$3 = -1
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages t1utils depends on:
ii libc6 2.24-12
--
Jakub Wilk
overflow.pfb.gz
Description: application/gzip
