[Pkg-fonts-devel] Bug#550120: Found the problem
Aha. I've now managed to reproduce the problem in a debuggable
fontforge, and tracked it down.
The segfault occurs because fontforge calls a PLT entry (for
_IO_putc) with a bogus value in EBX (which should hold the GOT
address). This bogus value arises due to stack corruption in
svg_pathdump() in fontforge/svg.c. The stack corruption occurs due
to the sprintf statement on svg.c line 200, which has format string
"c%g %g %g %g %g %g" but which targets a fixed-size buffer 60 bytes
long. A float formatted using %g can easily be twelve characters
long (e.g. "-0.000123456"), so six of those with spaces in between
have no trouble overflowing the output buffer.
I attach a trivial patch to svg.c which made the problem go away for
me by simply expanding the buffer by a factor of ten.
Cheers,
Simon
--
Simon Tatham "I thought I'd put my foot so far into my mouth I
<anakin@pobox.com> wouldn't be able to sit down without standing up."
--- svg.c.orig 2009-10-14 20:12:31.000000000 +0100
+++ svg.c 2009-10-14 20:08:18.000000000 +0100
@@ -150,7 +150,7 @@
static int svg_pathdump(FILE *file, SplineSet *spl, int lineout,
int forceclosed, int do_clips) {
BasePoint last;
- char buffer[60];
+ char buffer[600];
int closed=false;
Spline *sp, *first;
/* as I see it there is nothing to be gained by optimizing out the */
Reply to: