Bug 611927 - freetype: write to non-mapped memory in base/ftojbs.c:1563
Summary: freetype: write to non-mapped memory in base/ftojbs.c:1563
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: public=20100624,reported=20100702,sou...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-06 21:08 UTC by Vincent Danen
Modified: 2010-07-07 17:45 UTC (History)
5 users (show)

Clone Of:
Last Closed: 2010-07-07 17:45:18 UTC

Attachments (Terms of Use)

Description Vincent Danen 2010-07-06 21:08:03 UTC
Robert Swiecki reported a possibly exploitable write to non-mapped memory in the way freetype handles certain font [1].

The original report has two sample font files that caused the tested version to crash with a SIGSEGV (sigsegv16.pfb) and SIGABRT (sigabrt24.ttf).  When reproducing, observed behaviour was:

RHEL3 (freetype 2.1.4): pass on both files
RHEL4 (freetype 2.1.9): crashes (segfault) on both files
RHEL5 (freetype 2.2.1): crashes (segfault) on sigsegv16.pfb only
Fedora (freetype 2.3.11): crashes (segfault) on sigsegv16.pfb only

The upstream bug report claims this may be potentially exploitable for more than just a crash.  A patch was posted to correct the issue [2].  This needs to be looked at to determine whether or not this can be exploited to execute arbitrary code.

[1] http://savannah.nongnu.org/bugs/index.php?30248
[2] http://savannah.nongnu.org/bugs/download.php?file_id=20815

Comment 4 Josh Bressers 2010-07-07 17:45:18 UTC
I'm going to close this bug and file individual bugs for each freetype flaw found (there are several)

Note You need to log in before you can comment on or make changes to this bug.