Subject: fontforge: buffer overflow when opening .BDF files Package: fontforge Version: 0.0.20100501-2 Severity: important Tags: security
Hello, I have found a buffer overflow in fontforge when opening .BDF files. It is a stack-based buffer overflow with full control over EIP, and it occurs when parsing too long "CHARSET_REGISTRY" lines. To reproduce, start fontforge with the attached example file as a parameter, or start fontforge and then open the same file in the graphical interface. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fontforge depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra ii libfontconfig1 2.8.0-2.1 generic font configuration library ii libfontforge1 0.0.20100501-2 font editor - runtime library ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib ii libgdraw4 0.0.20100501-2 font editor - runtime graphics and ii libgif4 4.1.6-9 library for GIF images (library) ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libice6 2:1.0.6-2 X11 Inter-Client Exchange library ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio ii libpng12-0 1.2.44-1 PNG library - runtime ii libpython2.6 2.6.6-6 Shared Python runtime library (ver ii libsm6 2:1.1.1-1 X11 Session Management library ii libspiro0 20071029-2 a library for curve design ii libtiff4 3.9.4-5 Tag Image File Format (TIFF) libra ii libuninameslist0 0.0.20091231-1 a library of Unicode annotation da ii libx11-6 2:1.3.3-4 X11 client-side library ii libxft2 2.1.14-2 FreeType-based font drawing librar ii libxml2 2.7.8.dfsg-1 GNOME XML library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime fontforge recommends no packages. Versions of packages fontforge suggests: pn autotrace <none> (no description available) pn fontforge-doc <none> (no description available) pn fontforge-extras <none> (no description available) pn potrace <none> (no description available) pn python-fontforge <none> (no description available) -- no debconf information -- Ulrik | Underground Stockholm | http://underground-stockholm.com/
STARTFONT 2.1 FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1 SIZE 16 75 75 CHARSET_REGISTRY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA FONTBOUNDINGBOX 16 16 0 -2 STARTPROPERTIES 2 FONT_ASCENT 14 FONT_DESCENT 2 ENDPROPERTIES CHARS 1 STARTCHAR U+0041 ENCODING 65 SWIDTH 500 0 DWIDTH 8 0 BBX 8 16 0 -2 BITMAP 00 00 00 00 18 24 24 42 42 7E 42 42 42 42 00 00 ENDCHAR ENDFONT
