I'm disinclined to unilaterally assign a CVE here:
- ftgrid doesn't feel like it's useful beyond freetype developers -- try
it out for yourself on a font on your system. (For me, quite a lot of
the window space is filled with the previous contents of the screen, but
perhaps if you're not running a tiling window manager the window will be
the exact required size. What's left doesn't look like it's end-user or
even font-designer oriented.)
- I don't think the linked patches completely address the undefined
behavior due to signed integer overflows:
typedef struct grBitmap_
{
int rows;
int width;
int pitch;
grPixelMode mode;
int grays;
unsigned char* buffer;
} grBitmap;
static void
bitmap_scale( GridStatus st,
grBitmap* bit,
int scale )
{
unsigned char* s = bit->buffer;
unsigned char* line;
int pitch;
int width;
int i, j, k;
pitch = bit->pitch > 0 ? bit->pitch
: -bit->pitch;
width = bit->width;
/* limit bitmap size */
if ( pitch * scale <= 0xFFFF && bit->rows * scale <= 0xFFFF )
line = (unsigned char*)malloc( (size_t)( pitch * bit->rows *
scale * scale ) );
else
line = NULL;
What happens if pitch * scale or bit->rows * scale cause an integer overflow
and the compiler emits code that causes the result to become negative? Or the
compiler omits the code entirely, because signed integer overflow is undefined?
All these values are signed integers and I can't quickly spot code that would
limit these to suitable values.
I don't see any security value in debugging this demo program. If
upstream disagrees and thinks this deserves a CVE, I won't stand in
their way, but I also don't think assigning one here would encourage
them to care about the CVE process.
Fixing one specific integer overflow while ignoring two more on the
previous line doesn't feel productive.
If you, dear reader, actually care about this specific program, I
encourage a few steps to explore it further:
- build it with -fsanitize=undefined and fuzz it. I bet there's dozens more of
these errors.
- build it with -fsanitize=address and fuzz it. I bet there's a few more of
these errors.
- submit the project to scan.coverity.com. Unless Coverity is already part of
the workflow, it'll probably find dozens of flaws, some of which will represent
real bugs reachable by maliciously built fonts or operating users or other X
clients or the X server.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059852
Title:
Invalid free called during libfreetype FT_Done_Glyph
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2059852/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
