[ft-devel] Bug in fuzzed TTF file

freetype-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ft-devel] Bug in fuzzed TTF file

From:	Victor Stinner
Subject:	[ft-devel] Bug in fuzzed TTF file
Date:	Fri, 27 Apr 2007 16:23:10 +0200
User-agent:	KMail/1.9.5

Hi,

I wrote a fuzzer and tried it on Image Magick. I found some bugs and one 
critical in TTF format. I don't want to publish to much informations since I 
think that it's a serious security bug (may lead to arbitrary code 
execution).

It's hard to track the error but it's near line 325 in src/truetype/ttgload.c 
(function Get_VMetrics()). Status of the function on the crash:
   n_contours = 1
   n_points = -12526 (negative)
   tags = NULL

Problems:
   signed/unsigned integers conversion (stange instruction: « cont[0] = 
FT_GET_USHORT(); ») --> negative number of points
   tags in NULL (why?)

Contact me if you would like to get more informations or the bug to reproduce 
the bug.

Does Freetype use a bug tracker? Is the source repository (cvs/svn) public?

Victor
-- 
Victor Stinner
http://www.inl.fr/

[Prev in Thread]

Current Thread

[Next in Thread]

[ft-devel] Bug in fuzzed TTF file, Victor Stinner, 2007/04/27
- Re: [ft-devel] Bug in fuzzed TTF file, Werner LEMBERG, 2007/04/27
- [ft-devel] Bug in fuzzed TTF file, Victor Stinner <=

Prev by Date: Re: [ft-devel] Another bug in TTF parser
Next by Date: [ft-devel] Another bug in TTF parser
Previous by thread: Re: [ft-devel] Bug in fuzzed TTF file
Next by thread: [ft-devel] Another bug in TTF parser
Index(es):
- Date
- Thread