824506 - buffer overflow in Freetype's ftrandom.c

Status: RESOLVED INVALID

(Core :: Graphics, defect)

Description

[Douglas Lourenço]

Attachment: ftrandom.c

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232

Steps to reproduce:

Analise the code


Actual results:

Critical Error of Programmation


Expected results:

Line: 497
Column: 12
File: \modules\freetype2\src\tools\ftrandom.c


00492:    int         i        = getRandom( 0, fcnt - 1 );
00493:    static int  test_num = 0;
00494:    char        buffer[1024];
00495:
00496:
00497:    sprintf( buffer, "%s/test%d", results_dir, test_num++ );
00498:
00499:    if ( copyfont ( &ontlist[i], buffer ) )
00500:    {
00501:      signal( SIGALRM, abort_test );
00502:      /* Anything that takes more than 20 seconds */

sprintf( buffer, "%s/test%d", results_dir, test_num++ );
buffer = 1024

If I get exceed "1024" I go overflow the stack of the user.

More Informations and How to fix:
This function is admittedly fragile to buffer overflow. Make sure that, somehow, the arguments may exceed the size of the variable allocated.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Similar to bug 824529, this is an upstream library that we import wholesale, so assuming this bug is present upstream it should probably be reported there.

Comment 2

[Jonathan Kew [:jfkthame]]

This is the source of a testing tool from the freetype project; it's not even part of any mozilla products, afaics.

Comment 3

[Mats Palmgren (inactive)]

I agree, it's not part of the build.