buffer overflow in Freetype's ftrandom.c

RESOLVED INVALID

Status

()

Core
Graphics
RESOLVED INVALID
5 years ago
3 years ago

People

(Reporter: Douglas Lourenço, Unassigned)

Tracking

18 Branch
x86
Windows XP
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 695514 [details]
ftrandom.c

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232

Steps to reproduce:

Analise the code


Actual results:

Critical Error of Programmation


Expected results:

Line: 497
Column: 12
File: \modules\freetype2\src\tools\ftrandom.c


00492:    int         i        = getRandom( 0, fcnt - 1 );
00493:    static int  test_num = 0;
00494:    char        buffer[1024];
00495:
00496:
00497:    sprintf( buffer, "%s/test%d", results_dir, test_num++ );
00498:
00499:    if ( copyfont ( &ontlist[i], buffer ) )
00500:    {
00501:      signal( SIGALRM, abort_test );
00502:      /* Anything that takes more than 20 seconds */

sprintf( buffer, "%s/test%d", results_dir, test_num++ );
buffer = 1024

If I get exceed "1024" I go overflow the stack of the user.

More Informations and How to fix:
This function is admittedly fragile to buffer overflow. Make sure that, somehow, the arguments may exceed the size of the variable allocated.
(Reporter)

Updated

5 years ago
Version: 17 Branch → 18 Branch
Component: Untriaged → Graphics
Product: Firefox → Core
Similar to bug 824529, this is an upstream library that we import wholesale, so assuming this bug is present upstream it should probably be reported there.
Summary: Buffer OverFlow in the "Firefox 18.0b5" → buffer overflow in Firefox 18 in Freetype's ftrandom.c
Flags: sec-bounty?
Summary: buffer overflow in Firefox 18 in Freetype's ftrandom.c → buffer overflow in Freetype's ftrandom.c
This is the source of a testing tool from the freetype project; it's not even part of any mozilla products, afaics.
I agree, it's not part of the build.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
Group: core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.