Bug 235479 (CVE-2007-3506)
| Summary: | CVE-2007-3506 Emboldden rendering with a sbit font makes glibc detected. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | sangu <sangu.fedora> |
| Component: | freetype | Assignee: | Behdad Esfahbod <behdad> |
| Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 2.3.4-1.fc7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-04-11 14:22:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
sangu
2007-04-06 03:33:33 UTC
maybe embolden bug? 1. Load a sbit font with ftview 2. Change font size 14 on ftview. 3. Click space bar on ftview (rendering emboldeed text) $ ftview ppem /usr/share/fonts/hanyang/Dotum.ttf *** glibc detected *** ftview: free(): invalid next size (fast): 0x0841e0e8 *** ======= Backtrace: ========= /lib/libc.so.6[0x48dbed] /lib/libc.so.6(cfree+0x90)[0x491210] /usr/lib/libfreetype.so.6[0x37808d] /usr/lib/libfreetype.so.6(ft_mem_free+0x1a)[0x37b86a] /usr/lib/libfreetype.so.6(FT_Bitmap_Done+0x39)[0x381329] /usr/lib/libfreetype.so.6[0x382256] /usr/lib/libfreetype.so.6(FT_Done_Glyph+0x34)[0x382354] ftview[0x804c6fa] ftview[0x804b12b] /lib/libc.so.6(__libc_start_main+0xe0)[0x43bef0] ftview[0x8049971] ======= Memory map: ======== 00110000-00113000 r-xp 00000000 08:09 7157012 /lib/libdl-2.5.90.so 00113000-00114000 r-xp 00002000 08:09 7157012 /lib/libdl-2.5.90.so 00114000-00115000 rwxp 00003000 08:09 7157012 /lib/libdl-2.5.90.so 00115000-0011d000 r-xp 00000000 08:09 7645468 /usr/lib/libXrender.so.1.3.0 0011d000-0011e000 rwxp 00007000 08:09 7645468 /usr/lib/libXrender.so.1.3.0 0027f000-00283000 r-xp 00000000 08:09 7652807 /usr/lib/libXfixes.so.3.1.0 00283000-00284000 rwxp 00003000 08:09 7652807 /usr/lib/libXfixes.so.3.1.0 002d5000-002d7000 r-xp 00000000 08:09 7647568 /usr/lib/libXau.so.6.0.0 002d7000-002d8000 rwxp 00001000 08:09 7647568 /usr/lib/libXau.so.6.0.0 002d8000-002dd000 r-xp 00000000 08:09 7659116 /usr/lib/libXdmcp.so.6.0.0 002dd000-002de000 rwxp 00004000 08:09 7659116 /usr/lib/libXdmcp.so.6.0.0 002fb000-00322000 r-xp 00000000 08:09 7157014 /lib/libm-2.5.90.so 00322000-00323000 r-xp 00026000 08:09 7157014 /lib/libm-2.5.90.so 00323000-00324000 rwxp 00027000 08:09 7157014 /lib/libm-2.5.90.so 00324000-0032d000 r-xp 00000000 08:09 7652370 /usr/lib/libXcursor.so.1.0.2 0032d000-0032e000 rwxp 00008000 08:09 7652370 /usr/lib/libXcursor.so.1.0.2 00371000-003f4000 r-xp 00000000 08:09 7649033 /usr/lib/libfreetype.so.6.3.14 003f4000-003f8000 rwxp 00082000 08:09 7649033 /usr/lib/libfreetype.so.6.3.14 00426000-00574000 r-xp 00000000 08:09 7155309 /lib/libc-2.5.90.so 00574000-00576000 r-xp 0014e000 08:09 7155309 /lib/libc-2.5.90.so 00576000-00577000 rwxp 00150000 08:09 7155309 /lib/libc-2.5.90.so 00577000-0057a000 rwxp 00577000 00:00 0 005cd000-005e8000 r-xp 00000000 08:09 7155191 /lib/ld-2.5.90.so 005e8000-005e9000 r-xp 0001a000 08:09 7155191 /lib/ld-2.5.90.so 005e9000-005ea000 rwxp 0001b000 08:09 7155191 /lib/ld-2.5.90.so 006b9000-006c4000 r-xp 00000000 08:09 7155192 /lib/libgcc_s-4.1.2-20070403.so.1 006c4000-006c5000 rwxp 0000a000 08:09 7155192 /lib/libgcc_s-4.1.2-20070403.so.1 00710000-00711000 r-xp 00710000 00:00 0 [vdso] 00b6b000-00b7d000 r-xp 00000000 08:09 7160353 /lib/libz.so.1.2.3 00b7d000-00b7e000 rwxp 00011000 08:09 7160353 /lib/libz.so.1.2.3 00c93000-00d91000 r-xp 00000000 08:09 7649541 /usr/lib/libX11.so.6.2.0 00d91000-00d95000 rwxp 000fe000 08:09 7649541 /usr/lib/libX11.so.6.2.0 08048000-08059000 r-xp 00000000 08:09 7652513 /usr/bin/ftview 08059000-0805a000 rw-p 00011000 08:09 7652513 /usr/bin/ftview 0805a000-0805f000 rw-p 0805a000 00:00 0 08223000-0843f000 rw-p 08223000 00:00 0 b7100000-b7121000 rw-p b7100000 00:00 0 b7121000-b7200000 ---p b7121000 00:00 0 b7236000-b7e62000 r--p 00000000 08:09 915389 /usr/share/fonts/hanyang/Dotum.ttf b7e62000-b7f28000 rw-p b7e62000 00:00 0 b7f3c000-b7f3d000 rw-p b7f3c000 00:00 0 bf924000-bf93a000 rw-p bf924000 00:00 0 What is a sbit font btw? Sbit font is trueType font that only includes bitmap data.
And this problem was fixed in freetype cvs.
--- freetype-2.3.3/src/base/ftbitmap.c.orig 2007-03-29 16:20:32.000000000 +0900
+++ freetype-2.3.3/src/base/ftbitmap.c 2007-04-06 19:25:03.000000000 +0900
@@ -149,15 +149,15 @@
if ( bit_last < bit_width )
{
FT_Byte* line = bitmap->buffer + ( bit_last >> 3 );
+ FT_Byte* end = bitmap->buffer + pitch;
FT_Int shift = bit_last & 7;
FT_UInt mask = 0xFF00U >> shift;
FT_Int count = height;
- for ( ; count > 0; count--, line += pitch )
+ for ( ; count > 0; count--, line += pitch, end += pitch )
{
FT_Byte* write = line;
- FT_Byte* end = line + pitch;
if ( shift > 0 )
A new freetype release will be made tomorrow... |