[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Pkg-fonts-devel] Bug#550120: Found the problem

Aha. I've now managed to reproduce the problem in a debuggable
fontforge, and tracked it down.

The segfault occurs because fontforge calls a PLT entry (for
_IO_putc) with a bogus value in EBX (which should hold the GOT
address). This bogus value arises due to stack corruption in
svg_pathdump() in fontforge/svg.c. The stack corruption occurs due
to the sprintf statement on svg.c line 200, which has format string
"c%g %g %g %g %g %g" but which targets a fixed-size buffer 60 bytes
long. A float formatted using %g can easily be twelve characters
long (e.g. "-0.000123456"), so six of those with spaces in between
have no trouble overflowing the output buffer.

I attach a trivial patch to svg.c which made the problem go away for
me by simply expanding the buffer by a factor of ten.

Simon Tatham         "I thought I'd put my foot so far into my mouth I
<anakin@pobox.com>    wouldn't be able to sit down without standing up."
--- svg.c.orig	2009-10-14 20:12:31.000000000 +0100
+++ svg.c	2009-10-14 20:08:18.000000000 +0100
@@ -150,7 +150,7 @@
 static int svg_pathdump(FILE *file, SplineSet *spl, int lineout,
 	int forceclosed, int do_clips) {
     BasePoint last;
-    char buffer[60];
+    char buffer[600];
     int closed=false;
     Spline *sp, *first;
     /* as I see it there is nothing to be gained by optimizing out the */

Reply to: