Comment 0 for bug 696616

When used with FreeType2 as a backend, Pango is vulnerable to heap corruption when rendering malformed fonts. The vulnerability occurs in pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is written at offsets into this buffer without checking that these offsets fall within the buffer's boundaries, leading to heap corruption.

I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3).

I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf") that can be used to reproduce this corruption as follows, using the test-mixed.txt file included in the pango-view directory of the source tree (also attached):

# cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf.bak
# cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# pango-view --backend=ft2 --font=FreeSerif test-mixed.txt
*** glibc detected *** pango-view: malloc(): memory corruption: 0x000000000116cfa0 ***
======= Backtrace: =========
...