Bug 235479 (CVE-2007-3506) - CVE-2007-3506 Emboldden rendering with a sbit font makes glibc detected.
Summary: CVE-2007-3506 Emboldden rendering with a sbit font makes glibc detected.
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2007-3506
Product: Fedora
Classification: Fedora
Component: freetype
Version: rawhide
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Behdad Esfahbod
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-06 03:33 UTC by sangu
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: 2.3.4-1.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-11 14:22:14 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description sangu 2007-04-06 03:33:33 UTC
Description of problem:
$ firefox 
*** glibc detected *** /usr/lib/firefox-2.0.0.3/firefox-bin: free(): invalid
next size (fast): 0x0abcf330 ***
======= Backtrace: =========
/lib/libc.so.6[0xc92bed]
/lib/libc.so.6(cfree+0x90)[0xc96210]
/usr/lib/libfreetype.so.6[0xb8c08d]
/usr/lib/libfreetype.so.6(ft_mem_free+0x1a)[0xb8f86a]
/usr/lib/libfreetype.so.6(ft_glyphslot_free_bitmap+0x4c)[0xb8fd2c]
/usr/lib/libfreetype.so.6(FT_Load_Glyph+0x40)[0xb90bb0]
/usr/lib/libcairo.so.2[0xa2ef94]
/usr/lib/libcairo.so.2[0xa1edaf]
/usr/lib/libcairo.so.2(cairo_scaled_font_glyph_extents+0xa0)[0xa1fa50]
/usr/lib/libpangocairo-1.0.so.0[0x27cc1c]
/usr/lib/libpango-1.0.so.0(pango_font_get_glyph_extents+0x3e)[0x438c9e]
/usr/lib/pango/1.6.0/modules/pango-hangul-fc.so[0x293f89f]
/usr/lib/pango/1.6.0/modules/pango-hangul-fc.so[0x29401cc]
/usr/lib/pango/1.6.0/modules/pango-hangul-fc.so[0x294055a]
/usr/lib/libpango-1.0.so.0[0x440a3a]
/usr/lib/libpango-1.0.so.0(pango_shape+0xf7)[0x451b47]
/usr/lib/libpango-1.0.so.0[0x44488a]
/usr/lib/libpango-1.0.so.0[0x4474f5]
/usr/lib/libpango-1.0.so.0[0x447a5d]
/usr/lib/libpango-1.0.so.0(pango_layout_get_line+0x2f)[0x449b1f]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e79354]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e7ada0]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e6f90f]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e7ff9f]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1360b53]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x136680f]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13427f9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x133d681]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x133d8f9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x133dc9d]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13427f9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314482]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314932]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314bb0]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314dfa]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1315387]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1318206]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13e8e59]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fd2d4]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fb8af]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13feecd]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1400a29]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13f2d45]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13f6e4a]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13f91ae]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fa0b3]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1319c99]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1313cb9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314cb1]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1315387]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1318206]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13e8e59]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fd2d4]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fb8af]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13feecd]
======= Memory map: ========
00110000-001ec000 r-xp 00000000 08:09 655059    
/usr/lib/firefox-2.0.0.3/libxpcom_core.so
001ec000-001f4000 rwxp 000db000 08:09 655059    
/usr/lib/firefox-2.0.0.3/libxpcom_core.so
001f4000-001f6000 r-xp 00000000 08:09 7661851    /usr/lib/libplds4.so
001f6000-001f7000 rwxp 00002000 08:09 7661851    /usr/lib/libplds4.so
001f7000-001fb000 r-xp 00000000 08:09 7661850    /usr/lib/libplc4.so
001fb000-001fc000 rwxp 00003000 08:09 7661850    /usr/lib/libplc4.so
001fc000-00212000 r-xp 00000000 08:09 4606778   
/usr/lib/libgdk_pixbuf-2.0.so.0.1000.11
00212000-00213000 rwxp 00016000 08:09 4606778   
/usr/lib/libgdk_pixbuf-2.0.so.0.1000.11
00215000-00218000 r-xp 00000000 08:09 655057    
/usr/lib/firefox-2.0.0.3/libxpcom.so
00218000-00219000 rwxp 00002000 08:09 655057    
/usr/lib/firefox-2.0.0.3/libxpcom.so
00219000-0024e000 r-xp 00000000 08:09 7645824    /usr/lib/libnspr4.so
0024e000-0024f000 rwxp 00035000 08:09 7645824    /usr/lib/libnspr4.so
0024f000-00251000 rwxp 0024f000 00:00 0 
00251000-00276000 r-xp 00000000 08:09 7647140    /usr/lib/libpng12.so.0.16.0
00276000-00277000 rwxp 00024000 08:09 7647140    /usr/lib/libpng12.so.0.16.0
00277000-0027f000 r-xp 00000000 08:09 7659195   
/usr/lib/libpangocairo-1.0.so.0.1600.1
0027f000-00280000 rwxp 00007000 08:09 7659195   
/usr/lib/libpangocairo-1.0.so.0.1600.1
00280000-00282000 r-xp 00000000 08:09 7161180    /lib/libgmodule-2.0.so.0.1200.11
00282000-00283000 rwxp 00002000 08:09 7161180    /lib/libgmodule-2.0.so.0.1200.11
00283000-00287000 r-xp 00000000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
00287000-00288000 rwxp 00003000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
00288000-002a3000 r-xp 00000000 08:09 7155191    /lib/ld-2.5.90.so
002a3000-002a4000 r-xp 0001a000 08:09 7155191    /lib/ld-2.5.90.so
002a4000-002a5000 rwxp 0001b000 08:09 7155191    /lib/ld-2.5.90.so
002a5000-0032f000 r-xp 00000000 08:09 4606772   
/usr/lib/libgdk-x11-2.0.so.0.1000.11
0032f000-00332000 rwxp 0008a000 08:09 4606772   
/usr/lib/libgdk-x11-2.0.so.0.1000.11
00332000-00334000 r-xp 00000000 08:09 7648005    /usr/lib/libXinerama.so.1.0.0
00334000-00335000 rwxp 00001000 08:09 7648005    /usr/lib/libXinerama.so.1.0.0
00335000-00337000 r-xp 00000000 08:09 7647568    /usr/lib/libXau.so.6.0.0
00337000-00338000 rwxp 00001000 08:09 7647568    /usr/lib/libXau.so.6.0.0
00339000-00353000 r-xp 00000000 08:09 7645740    /usr/lib/libatk-1.0.so.0.1809.1
00353000-00355000 rwxp 0001a000 08:09 7645740    /usr/lib/libatk-1.0.so.0.1809.1
00355000-0035d000 r-xp 00000000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0035d000-0035e000 rwxp 00007000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0035e000-00365000 r-xp 00000000 08:09 7659147    /usr/lib/libXi.so.6.0.0
00365000-00366000 rwxp 00006000 08:09 7659147    /usr/lib/libXi.so.6.0.0
00366000-0036c000 r-xp 00000000 08:09 7659174    /usr/lib/libXrandr.so.2.1.0
0036c000-0036d000 rwxp 00005000 08:09 7659174    /usr/lib/libXrandr.so.2.1.0
0036d000-00372000 r-xp 00000000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
00372000-00373000 rwxp 00004000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
00373000-00374000 r-xp 00000000 08:09 3169397    /usr/lib/gconv/ISO8859-1.so
00374000-00376000 rwxp 00000000 08:09 3169397    /usr/lib/gconv/ISO8859-1.so
00377000-00427000 r-xp 00000000 08:09 655056    
/usr/lib/firefox-2.0.0.3/libmozjs.so
00427000-0042c000 rwxp 000b0000 08:09 655056    
/usr/lib/firefox-2.0.0.3/libmozjs.so
0042c000-0046c000 r-xp 00000000 08:09 7654926    /usr/lib/libpango-1.0.so.0.1600.1
0046c000-0046e000 rwxp 0003f000 08:09 7654926    /usr/lib/libpango-1.0.so.0.1600.1
0046e000-00480000 r-xp 00000000 08:09 7160353    /lib/libz.so.1.2.3
00480000-00481000 rwxp 00011000 08:09 7160353    /lib/libz.so.1.2.3
00481000-00483000 r-xp 00000000 08:09 3169445    /usr/lib/gconv/UTF-16.so
00483000-00485000 rwxp 00001000 08:09 3169445    /usr/lib/gconv/UTF-16.so
00487000-0048a000 r-xp 00000000 08:09 7157012    /lib/libdl-2.5.90.so
0048a000-0048b000 r-xp 00002000 08:09 7157012    /lib/libdl-2.5.90.so
0048b000-0048c000 rwxp 00003000 08:09 7157012    /lib/libdl-2.5.90.so
0048c000-00822000 r-xp 00000000 08:09 4606829   
/usr/lib/libgtk-x11-2.0.so.0.1000.11
00822000-00828000 rwxp 00396000 08:09 4606829   
/usr/lib/libgtk-x11-2.0.so.0.1000.11
00828000-00829000 rwxp 00828000 00:00 0 
0082a000-0083e000 r-xp 00000000 08:09 7155282    /lib/libpthread-2.5.90.so
0083e000-0083f000 r-xp 00013000 08:09 7155282    /lib/libpthread-2.5.90.so
0083f000-00840000 rwxp 00014000 08:09 7155282    /lib/libpthread-2.5.90.so
00840000-00842000 rwxp 00840000 00:00 0 
00842000-00880000 r-xp 00000000 08:09 7161184    /lib/libgobject-2.0.so.0.1200.11
00880000-00881000 rwxp 0003e000 08:09 7161184    /lib/libgobject-2.0.so.0.1200.11
00881000-0091f000 r-xp 00000000 08:09 7160913    /lib/libglib-2.0.so.0.1200.11
0091f000-00920000 rwxp 0009d000 08:09 7160913    /lib/libglib-2.0.so.0.1200.11
00920000-00947000 r-xp 00000000 08:09 7157014    /lib/libm-2.5.90.so
00947000-00948000 r-xp 00026000 08:09 7157014    /lib/libm-2.5.90.so
00948000-00949000 rwxp 00027000 08:09 7157014    /lib


Version-Release number of selected component (if applicable):
2.3.3-1.fc7

How reproducible:
always

Steps to Reproduce:
1. 
2.
3.
  
Actual results:


Expected results:


Additional info:
firefox-2.0.0.3-2.fc7
pango-1.16.1-1.fc7
cairo-1.4.2-1.fc7
gtk2-2.10.11-3.fc7

Comment 1 sangu 2007-04-06 04:25:14 UTC
maybe embolden bug?
1. Load a sbit font with ftview
2. Change font size 14 on ftview.
3. Click space bar on ftview (rendering emboldeed text)

$ ftview ppem /usr/share/fonts/hanyang/Dotum.ttf 
*** glibc detected *** ftview: free(): invalid next size (fast): 0x0841e0e8 ***
======= Backtrace: =========
/lib/libc.so.6[0x48dbed]
/lib/libc.so.6(cfree+0x90)[0x491210]
/usr/lib/libfreetype.so.6[0x37808d]
/usr/lib/libfreetype.so.6(ft_mem_free+0x1a)[0x37b86a]
/usr/lib/libfreetype.so.6(FT_Bitmap_Done+0x39)[0x381329]
/usr/lib/libfreetype.so.6[0x382256]
/usr/lib/libfreetype.so.6(FT_Done_Glyph+0x34)[0x382354]
ftview[0x804c6fa]
ftview[0x804b12b]
/lib/libc.so.6(__libc_start_main+0xe0)[0x43bef0]
ftview[0x8049971]
======= Memory map: ========
00110000-00113000 r-xp 00000000 08:09 7157012    /lib/libdl-2.5.90.so
00113000-00114000 r-xp 00002000 08:09 7157012    /lib/libdl-2.5.90.so
00114000-00115000 rwxp 00003000 08:09 7157012    /lib/libdl-2.5.90.so
00115000-0011d000 r-xp 00000000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0011d000-0011e000 rwxp 00007000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0027f000-00283000 r-xp 00000000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
00283000-00284000 rwxp 00003000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
002d5000-002d7000 r-xp 00000000 08:09 7647568    /usr/lib/libXau.so.6.0.0
002d7000-002d8000 rwxp 00001000 08:09 7647568    /usr/lib/libXau.so.6.0.0
002d8000-002dd000 r-xp 00000000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
002dd000-002de000 rwxp 00004000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
002fb000-00322000 r-xp 00000000 08:09 7157014    /lib/libm-2.5.90.so
00322000-00323000 r-xp 00026000 08:09 7157014    /lib/libm-2.5.90.so
00323000-00324000 rwxp 00027000 08:09 7157014    /lib/libm-2.5.90.so
00324000-0032d000 r-xp 00000000 08:09 7652370    /usr/lib/libXcursor.so.1.0.2
0032d000-0032e000 rwxp 00008000 08:09 7652370    /usr/lib/libXcursor.so.1.0.2
00371000-003f4000 r-xp 00000000 08:09 7649033    /usr/lib/libfreetype.so.6.3.14
003f4000-003f8000 rwxp 00082000 08:09 7649033    /usr/lib/libfreetype.so.6.3.14
00426000-00574000 r-xp 00000000 08:09 7155309    /lib/libc-2.5.90.so
00574000-00576000 r-xp 0014e000 08:09 7155309    /lib/libc-2.5.90.so
00576000-00577000 rwxp 00150000 08:09 7155309    /lib/libc-2.5.90.so
00577000-0057a000 rwxp 00577000 00:00 0 
005cd000-005e8000 r-xp 00000000 08:09 7155191    /lib/ld-2.5.90.so
005e8000-005e9000 r-xp 0001a000 08:09 7155191    /lib/ld-2.5.90.so
005e9000-005ea000 rwxp 0001b000 08:09 7155191    /lib/ld-2.5.90.so
006b9000-006c4000 r-xp 00000000 08:09 7155192    /lib/libgcc_s-4.1.2-20070403.so.1
006c4000-006c5000 rwxp 0000a000 08:09 7155192    /lib/libgcc_s-4.1.2-20070403.so.1
00710000-00711000 r-xp 00710000 00:00 0          [vdso]
00b6b000-00b7d000 r-xp 00000000 08:09 7160353    /lib/libz.so.1.2.3
00b7d000-00b7e000 rwxp 00011000 08:09 7160353    /lib/libz.so.1.2.3
00c93000-00d91000 r-xp 00000000 08:09 7649541    /usr/lib/libX11.so.6.2.0
00d91000-00d95000 rwxp 000fe000 08:09 7649541    /usr/lib/libX11.so.6.2.0
08048000-08059000 r-xp 00000000 08:09 7652513    /usr/bin/ftview
08059000-0805a000 rw-p 00011000 08:09 7652513    /usr/bin/ftview
0805a000-0805f000 rw-p 0805a000 00:00 0 
08223000-0843f000 rw-p 08223000 00:00 0 
b7100000-b7121000 rw-p b7100000 00:00 0 
b7121000-b7200000 ---p b7121000 00:00 0 
b7236000-b7e62000 r--p 00000000 08:09 915389     /usr/share/fonts/hanyang/Dotum.ttf
b7e62000-b7f28000 rw-p b7e62000 00:00 0 
b7f3c000-b7f3d000 rw-p b7f3c000 00:00 0 
bf924000-bf93a000 rw-p bf924000 00:00 0

Comment 2 sangu 2007-04-06 05:23:59 UTC
See : http://savannah.nongnu.org/bugs/?19536

Comment 3 Behdad Esfahbod 2007-04-06 07:50:34 UTC
What is a sbit font btw?

Comment 4 sangu 2007-04-06 11:07:22 UTC
Sbit font is trueType font that only includes bitmap data.

And this problem was fixed in freetype cvs.

--- freetype-2.3.3/src/base/ftbitmap.c.orig     2007-03-29 16:20:32.000000000 +0900
+++ freetype-2.3.3/src/base/ftbitmap.c  2007-04-06 19:25:03.000000000 +0900
@@ -149,15 +149,15 @@
       if ( bit_last < bit_width )
       {
         FT_Byte*  line  = bitmap->buffer + ( bit_last >> 3 );
+        FT_Byte*  end   = bitmap->buffer + pitch;
         FT_Int    shift = bit_last & 7;
         FT_UInt   mask  = 0xFF00U >> shift;
         FT_Int    count = height;
 
 
-        for ( ; count > 0; count--, line += pitch )
+        for ( ; count > 0; count--, line += pitch, end += pitch )
         {
           FT_Byte*  write = line;
-          FT_Byte*  end   = line + pitch;
 
 
           if ( shift > 0 )


Comment 5 Behdad Esfahbod 2007-04-08 22:20:47 UTC
A new freetype release will be made tomorrow...


Note You need to log in before you can comment on or make changes to this bug.