Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235479 (CVE-2007-3506) - CVE-2007-3506 Emboldden rendering with a sbit font makes glibc detected.
Summary: CVE-2007-3506 Emboldden rendering with a sbit font makes glibc detected.
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2007-3506
Product: Fedora
Classification: Fedora
Component: freetype
Version: rawhide
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Behdad Esfahbod
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-06 03:33 UTC by sangu
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: 2.3.4-1.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-11 14:22:14 UTC


Attachments (Terms of Use)

Description sangu 2007-04-06 03:33:33 UTC
Description of problem:
$ firefox 
*** glibc detected *** /usr/lib/firefox-2.0.0.3/firefox-bin: free(): invalid
next size (fast): 0x0abcf330 ***
======= Backtrace: =========
/lib/libc.so.6[0xc92bed]
/lib/libc.so.6(cfree+0x90)[0xc96210]
/usr/lib/libfreetype.so.6[0xb8c08d]
/usr/lib/libfreetype.so.6(ft_mem_free+0x1a)[0xb8f86a]
/usr/lib/libfreetype.so.6(ft_glyphslot_free_bitmap+0x4c)[0xb8fd2c]
/usr/lib/libfreetype.so.6(FT_Load_Glyph+0x40)[0xb90bb0]
/usr/lib/libcairo.so.2[0xa2ef94]
/usr/lib/libcairo.so.2[0xa1edaf]
/usr/lib/libcairo.so.2(cairo_scaled_font_glyph_extents+0xa0)[0xa1fa50]
/usr/lib/libpangocairo-1.0.so.0[0x27cc1c]
/usr/lib/libpango-1.0.so.0(pango_font_get_glyph_extents+0x3e)[0x438c9e]
/usr/lib/pango/1.6.0/modules/pango-hangul-fc.so[0x293f89f]
/usr/lib/pango/1.6.0/modules/pango-hangul-fc.so[0x29401cc]
/usr/lib/pango/1.6.0/modules/pango-hangul-fc.so[0x294055a]
/usr/lib/libpango-1.0.so.0[0x440a3a]
/usr/lib/libpango-1.0.so.0(pango_shape+0xf7)[0x451b47]
/usr/lib/libpango-1.0.so.0[0x44488a]
/usr/lib/libpango-1.0.so.0[0x4474f5]
/usr/lib/libpango-1.0.so.0[0x447a5d]
/usr/lib/libpango-1.0.so.0(pango_layout_get_line+0x2f)[0x449b1f]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e79354]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e7ada0]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e6f90f]
/usr/lib/firefox-2.0.0.3/components/libgfx_gtk.so[0x4e7ff9f]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1360b53]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x136680f]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13427f9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x133d681]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x133d8f9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x133dc9d]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13427f9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314482]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314932]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314bb0]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314dfa]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1315387]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1318206]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13e8e59]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fd2d4]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fb8af]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13feecd]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1400a29]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13f2d45]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13f6e4a]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13f91ae]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fa0b3]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1319c99]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1313cb9]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1314cb1]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1315387]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x1318206]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13e8e59]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fd2d4]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13fb8af]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x131ef03]
/usr/lib/firefox-2.0.0.3/components/libgklayout.so[0x13feecd]
======= Memory map: ========
00110000-001ec000 r-xp 00000000 08:09 655059    
/usr/lib/firefox-2.0.0.3/libxpcom_core.so
001ec000-001f4000 rwxp 000db000 08:09 655059    
/usr/lib/firefox-2.0.0.3/libxpcom_core.so
001f4000-001f6000 r-xp 00000000 08:09 7661851    /usr/lib/libplds4.so
001f6000-001f7000 rwxp 00002000 08:09 7661851    /usr/lib/libplds4.so
001f7000-001fb000 r-xp 00000000 08:09 7661850    /usr/lib/libplc4.so
001fb000-001fc000 rwxp 00003000 08:09 7661850    /usr/lib/libplc4.so
001fc000-00212000 r-xp 00000000 08:09 4606778   
/usr/lib/libgdk_pixbuf-2.0.so.0.1000.11
00212000-00213000 rwxp 00016000 08:09 4606778   
/usr/lib/libgdk_pixbuf-2.0.so.0.1000.11
00215000-00218000 r-xp 00000000 08:09 655057    
/usr/lib/firefox-2.0.0.3/libxpcom.so
00218000-00219000 rwxp 00002000 08:09 655057    
/usr/lib/firefox-2.0.0.3/libxpcom.so
00219000-0024e000 r-xp 00000000 08:09 7645824    /usr/lib/libnspr4.so
0024e000-0024f000 rwxp 00035000 08:09 7645824    /usr/lib/libnspr4.so
0024f000-00251000 rwxp 0024f000 00:00 0 
00251000-00276000 r-xp 00000000 08:09 7647140    /usr/lib/libpng12.so.0.16.0
00276000-00277000 rwxp 00024000 08:09 7647140    /usr/lib/libpng12.so.0.16.0
00277000-0027f000 r-xp 00000000 08:09 7659195   
/usr/lib/libpangocairo-1.0.so.0.1600.1
0027f000-00280000 rwxp 00007000 08:09 7659195   
/usr/lib/libpangocairo-1.0.so.0.1600.1
00280000-00282000 r-xp 00000000 08:09 7161180    /lib/libgmodule-2.0.so.0.1200.11
00282000-00283000 rwxp 00002000 08:09 7161180    /lib/libgmodule-2.0.so.0.1200.11
00283000-00287000 r-xp 00000000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
00287000-00288000 rwxp 00003000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
00288000-002a3000 r-xp 00000000 08:09 7155191    /lib/ld-2.5.90.so
002a3000-002a4000 r-xp 0001a000 08:09 7155191    /lib/ld-2.5.90.so
002a4000-002a5000 rwxp 0001b000 08:09 7155191    /lib/ld-2.5.90.so
002a5000-0032f000 r-xp 00000000 08:09 4606772   
/usr/lib/libgdk-x11-2.0.so.0.1000.11
0032f000-00332000 rwxp 0008a000 08:09 4606772   
/usr/lib/libgdk-x11-2.0.so.0.1000.11
00332000-00334000 r-xp 00000000 08:09 7648005    /usr/lib/libXinerama.so.1.0.0
00334000-00335000 rwxp 00001000 08:09 7648005    /usr/lib/libXinerama.so.1.0.0
00335000-00337000 r-xp 00000000 08:09 7647568    /usr/lib/libXau.so.6.0.0
00337000-00338000 rwxp 00001000 08:09 7647568    /usr/lib/libXau.so.6.0.0
00339000-00353000 r-xp 00000000 08:09 7645740    /usr/lib/libatk-1.0.so.0.1809.1
00353000-00355000 rwxp 0001a000 08:09 7645740    /usr/lib/libatk-1.0.so.0.1809.1
00355000-0035d000 r-xp 00000000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0035d000-0035e000 rwxp 00007000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0035e000-00365000 r-xp 00000000 08:09 7659147    /usr/lib/libXi.so.6.0.0
00365000-00366000 rwxp 00006000 08:09 7659147    /usr/lib/libXi.so.6.0.0
00366000-0036c000 r-xp 00000000 08:09 7659174    /usr/lib/libXrandr.so.2.1.0
0036c000-0036d000 rwxp 00005000 08:09 7659174    /usr/lib/libXrandr.so.2.1.0
0036d000-00372000 r-xp 00000000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
00372000-00373000 rwxp 00004000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
00373000-00374000 r-xp 00000000 08:09 3169397    /usr/lib/gconv/ISO8859-1.so
00374000-00376000 rwxp 00000000 08:09 3169397    /usr/lib/gconv/ISO8859-1.so
00377000-00427000 r-xp 00000000 08:09 655056    
/usr/lib/firefox-2.0.0.3/libmozjs.so
00427000-0042c000 rwxp 000b0000 08:09 655056    
/usr/lib/firefox-2.0.0.3/libmozjs.so
0042c000-0046c000 r-xp 00000000 08:09 7654926    /usr/lib/libpango-1.0.so.0.1600.1
0046c000-0046e000 rwxp 0003f000 08:09 7654926    /usr/lib/libpango-1.0.so.0.1600.1
0046e000-00480000 r-xp 00000000 08:09 7160353    /lib/libz.so.1.2.3
00480000-00481000 rwxp 00011000 08:09 7160353    /lib/libz.so.1.2.3
00481000-00483000 r-xp 00000000 08:09 3169445    /usr/lib/gconv/UTF-16.so
00483000-00485000 rwxp 00001000 08:09 3169445    /usr/lib/gconv/UTF-16.so
00487000-0048a000 r-xp 00000000 08:09 7157012    /lib/libdl-2.5.90.so
0048a000-0048b000 r-xp 00002000 08:09 7157012    /lib/libdl-2.5.90.so
0048b000-0048c000 rwxp 00003000 08:09 7157012    /lib/libdl-2.5.90.so
0048c000-00822000 r-xp 00000000 08:09 4606829   
/usr/lib/libgtk-x11-2.0.so.0.1000.11
00822000-00828000 rwxp 00396000 08:09 4606829   
/usr/lib/libgtk-x11-2.0.so.0.1000.11
00828000-00829000 rwxp 00828000 00:00 0 
0082a000-0083e000 r-xp 00000000 08:09 7155282    /lib/libpthread-2.5.90.so
0083e000-0083f000 r-xp 00013000 08:09 7155282    /lib/libpthread-2.5.90.so
0083f000-00840000 rwxp 00014000 08:09 7155282    /lib/libpthread-2.5.90.so
00840000-00842000 rwxp 00840000 00:00 0 
00842000-00880000 r-xp 00000000 08:09 7161184    /lib/libgobject-2.0.so.0.1200.11
00880000-00881000 rwxp 0003e000 08:09 7161184    /lib/libgobject-2.0.so.0.1200.11
00881000-0091f000 r-xp 00000000 08:09 7160913    /lib/libglib-2.0.so.0.1200.11
0091f000-00920000 rwxp 0009d000 08:09 7160913    /lib/libglib-2.0.so.0.1200.11
00920000-00947000 r-xp 00000000 08:09 7157014    /lib/libm-2.5.90.so
00947000-00948000 r-xp 00026000 08:09 7157014    /lib/libm-2.5.90.so
00948000-00949000 rwxp 00027000 08:09 7157014    /lib


Version-Release number of selected component (if applicable):
2.3.3-1.fc7

How reproducible:
always

Steps to Reproduce:
1. 
2.
3.
  
Actual results:


Expected results:


Additional info:
firefox-2.0.0.3-2.fc7
pango-1.16.1-1.fc7
cairo-1.4.2-1.fc7
gtk2-2.10.11-3.fc7

Comment 1 sangu 2007-04-06 04:25:14 UTC
maybe embolden bug?
1. Load a sbit font with ftview
2. Change font size 14 on ftview.
3. Click space bar on ftview (rendering emboldeed text)

$ ftview ppem /usr/share/fonts/hanyang/Dotum.ttf 
*** glibc detected *** ftview: free(): invalid next size (fast): 0x0841e0e8 ***
======= Backtrace: =========
/lib/libc.so.6[0x48dbed]
/lib/libc.so.6(cfree+0x90)[0x491210]
/usr/lib/libfreetype.so.6[0x37808d]
/usr/lib/libfreetype.so.6(ft_mem_free+0x1a)[0x37b86a]
/usr/lib/libfreetype.so.6(FT_Bitmap_Done+0x39)[0x381329]
/usr/lib/libfreetype.so.6[0x382256]
/usr/lib/libfreetype.so.6(FT_Done_Glyph+0x34)[0x382354]
ftview[0x804c6fa]
ftview[0x804b12b]
/lib/libc.so.6(__libc_start_main+0xe0)[0x43bef0]
ftview[0x8049971]
======= Memory map: ========
00110000-00113000 r-xp 00000000 08:09 7157012    /lib/libdl-2.5.90.so
00113000-00114000 r-xp 00002000 08:09 7157012    /lib/libdl-2.5.90.so
00114000-00115000 rwxp 00003000 08:09 7157012    /lib/libdl-2.5.90.so
00115000-0011d000 r-xp 00000000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0011d000-0011e000 rwxp 00007000 08:09 7645468    /usr/lib/libXrender.so.1.3.0
0027f000-00283000 r-xp 00000000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
00283000-00284000 rwxp 00003000 08:09 7652807    /usr/lib/libXfixes.so.3.1.0
002d5000-002d7000 r-xp 00000000 08:09 7647568    /usr/lib/libXau.so.6.0.0
002d7000-002d8000 rwxp 00001000 08:09 7647568    /usr/lib/libXau.so.6.0.0
002d8000-002dd000 r-xp 00000000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
002dd000-002de000 rwxp 00004000 08:09 7659116    /usr/lib/libXdmcp.so.6.0.0
002fb000-00322000 r-xp 00000000 08:09 7157014    /lib/libm-2.5.90.so
00322000-00323000 r-xp 00026000 08:09 7157014    /lib/libm-2.5.90.so
00323000-00324000 rwxp 00027000 08:09 7157014    /lib/libm-2.5.90.so
00324000-0032d000 r-xp 00000000 08:09 7652370    /usr/lib/libXcursor.so.1.0.2
0032d000-0032e000 rwxp 00008000 08:09 7652370    /usr/lib/libXcursor.so.1.0.2
00371000-003f4000 r-xp 00000000 08:09 7649033    /usr/lib/libfreetype.so.6.3.14
003f4000-003f8000 rwxp 00082000 08:09 7649033    /usr/lib/libfreetype.so.6.3.14
00426000-00574000 r-xp 00000000 08:09 7155309    /lib/libc-2.5.90.so
00574000-00576000 r-xp 0014e000 08:09 7155309    /lib/libc-2.5.90.so
00576000-00577000 rwxp 00150000 08:09 7155309    /lib/libc-2.5.90.so
00577000-0057a000 rwxp 00577000 00:00 0 
005cd000-005e8000 r-xp 00000000 08:09 7155191    /lib/ld-2.5.90.so
005e8000-005e9000 r-xp 0001a000 08:09 7155191    /lib/ld-2.5.90.so
005e9000-005ea000 rwxp 0001b000 08:09 7155191    /lib/ld-2.5.90.so
006b9000-006c4000 r-xp 00000000 08:09 7155192    /lib/libgcc_s-4.1.2-20070403.so.1
006c4000-006c5000 rwxp 0000a000 08:09 7155192    /lib/libgcc_s-4.1.2-20070403.so.1
00710000-00711000 r-xp 00710000 00:00 0          [vdso]
00b6b000-00b7d000 r-xp 00000000 08:09 7160353    /lib/libz.so.1.2.3
00b7d000-00b7e000 rwxp 00011000 08:09 7160353    /lib/libz.so.1.2.3
00c93000-00d91000 r-xp 00000000 08:09 7649541    /usr/lib/libX11.so.6.2.0
00d91000-00d95000 rwxp 000fe000 08:09 7649541    /usr/lib/libX11.so.6.2.0
08048000-08059000 r-xp 00000000 08:09 7652513    /usr/bin/ftview
08059000-0805a000 rw-p 00011000 08:09 7652513    /usr/bin/ftview
0805a000-0805f000 rw-p 0805a000 00:00 0 
08223000-0843f000 rw-p 08223000 00:00 0 
b7100000-b7121000 rw-p b7100000 00:00 0 
b7121000-b7200000 ---p b7121000 00:00 0 
b7236000-b7e62000 r--p 00000000 08:09 915389     /usr/share/fonts/hanyang/Dotum.ttf
b7e62000-b7f28000 rw-p b7e62000 00:00 0 
b7f3c000-b7f3d000 rw-p b7f3c000 00:00 0 
bf924000-bf93a000 rw-p bf924000 00:00 0

Comment 2 sangu 2007-04-06 05:23:59 UTC
See : http://savannah.nongnu.org/bugs/?19536

Comment 3 Behdad Esfahbod 2007-04-06 07:50:34 UTC
What is a sbit font btw?

Comment 4 sangu 2007-04-06 11:07:22 UTC
Sbit font is trueType font that only includes bitmap data.

And this problem was fixed in freetype cvs.

--- freetype-2.3.3/src/base/ftbitmap.c.orig     2007-03-29 16:20:32.000000000 +0900
+++ freetype-2.3.3/src/base/ftbitmap.c  2007-04-06 19:25:03.000000000 +0900
@@ -149,15 +149,15 @@
       if ( bit_last < bit_width )
       {
         FT_Byte*  line  = bitmap->buffer + ( bit_last >> 3 );
+        FT_Byte*  end   = bitmap->buffer + pitch;
         FT_Int    shift = bit_last & 7;
         FT_UInt   mask  = 0xFF00U >> shift;
         FT_Int    count = height;
 
 
-        for ( ; count > 0; count--, line += pitch )
+        for ( ; count > 0; count--, line += pitch, end += pitch )
         {
           FT_Byte*  write = line;
-          FT_Byte*  end   = line + pitch;
 
 
           if ( shift > 0 )


Comment 5 Behdad Esfahbod 2007-04-08 22:20:47 UTC
A new freetype release will be made tomorrow...


Note You need to log in before you can comment on or make changes to this bug.