On Wed, May 27, 2015 at 3:44 PM, Guzman Mosqueda, Jose R < [email protected]> wrote:
> > Hi all > > I'm Jose Guzman from a security team at Intel. > We're using freetype in a GNU-Linux project and I'm analyzing the code > to try to find possible issues/gaps/risks. > Since I'm not too familiar with the package yet I have a question about > one particular piece of code that could result in an invalid memory > segment read or stack fault. > > Version: 2.5.5 > File src/tools/apinames.c > Function: static void names_dump(...) > Line: ~186 > > In the case that the process flow executes code inside the "if" > statement at line 170: "if ( dot != NULL )", there is a line of code > where "dll_name" points to a local variable "temp" which becomes invalid > outside "if" block. So in the next for loop "dll_name" variable could > point to an invalid memory segment. > > According to the standards, it should be invalid. I have never seen a compiler that actually over-uses stack variables; or that expands the stack during a code block and collapses it at the end. temp will always have it's own space that is unused if that code is never executed. (it should be re-used by other stack variables that are in local code blocks).. but even if it was, there's no other code that would execute to corrupt it in this case. Stack space for variables is also only allocated at the subroutine prefix code and deallocated at the suffix.... that is the stack wouldn't expand during that code block and collapse back (at least not in any compiler implementation I've seen)... BUT; I also wouldn't trust that, and would recommend moving the declaration of the temp variable up a code block (where const char * dot is declared) > I really appreciate if anyone can address this question and tell me > whether is a real issue or not since you know much better the package > and can analyze the code deeply. > > Thanks in advance, > -Jose G. > > > _______________________________________________ > Freetype mailing list > [email protected] > https://lists.nongnu.org/mailman/listinfo/freetype >
_______________________________________________ Freetype mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/freetype
