Ubuntu
xfstt package

xfstt cores on startup

Bug #403074 reported by PCC
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
xfstt (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: xfstt

Version is 1.7-5 AMD64.

xfstt fails to run and reports buffer overflow:

corrupt font database!
opening TTF database failed, while reading "/usr/share/fonts/truetype" to build it.
*** buffer overflow detected ***: xfstt terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fa1c2f87747]
/lib/libc.so.6[0x7fa1c2f86660]
/lib/libc.so.6[0x7fa1c2f8588d]
xfstt[0x403162]
xfstt[0x4057de]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fa1c2eaa606]
xfstt(__gxx_personality_v0+0xf9)[0x402539]
======= Memory map: ========
00400000-0041a000 r-xp 00000000 08:03 577863 /usr/bin/xfstt
00619000-0061a000 r--p 00019000 08:03 577863 /usr/bin/xfstt
0061a000-0061b000 rw-p 0001a000 08:03 577863 /usr/bin/xfstt
0061b000-00628000 rw-p 00000000 00:00 0
01591000-015b2000 rw-p 00000000 00:00 0 [heap]
7fa1c2e8c000-7fa1c2ff2000 r-xp 00000000 08:03 516128 /lib/libc-2.9.so
7fa1c2ff2000-7fa1c31f1000 ---p 00166000 08:03 516128 /lib/libc-2.9.so
7fa1c31f1000-7fa1c31f5000 r--p 00165000 08:03 516128 /lib/libc-2.9.so
7fa1c31f5000-7fa1c31f6000 rw-p 00169000 08:03 516128 /lib/libc-2.9.so
7fa1c31f6000-7fa1c31fb000 rw-p 00000000 00:00 0
7fa1c31fb000-7fa1c3215000 r-xp 00000000 08:03 716778 /lib/libgcc_s.so.1
7fa1c3215000-7fa1c3414000 ---p 0001a000 08:03 716778 /lib/libgcc_s.so.1
7fa1c3414000-7fa1c3415000 r--p 00019000 08:03 716778 /lib/libgcc_s.so.1
7fa1c3415000-7fa1c3416000 rw-p 0001a000 08:03 716778 /lib/libgcc_s.so.1
7fa1c3416000-7fa1c3499000 r-xp 00000000 08:03 516140 /lib/libm-2.9.so
7fa1c3499000-7fa1c3699000 ---p 00083000 08:03 516140 /lib/libm-2.9.so
7fa1c3699000-7fa1c369a000 r--p 00083000 08:03 516140 /lib/libm-2.9.so
7fa1c369a000-7fa1c369b000 rw-p 00084000 08:03 516140 /lib/libm-2.9.so
7fa1c369b000-7fa1c378b000 r-xp 00000000 08:03 1386284 /usr/lib/libstdc++.so.6.0.12
7fa1c378b000-7fa1c398b000 ---p 000f0000 08:03 1386284 /usr/lib/libstdc++.so.6.0.12
7fa1c398b000-7fa1c3992000 r--p 000f0000 08:03 1386284 /usr/lib/libstdc++.so.6.0.12
7fa1c3992000-7fa1c3994000 rw-p 000f7000 08:03 1386284 /usr/lib/libstdc++.so.6.0.12
7fa1c3994000-7fa1c39a9000 rw-p 00000000 00:00 0
7fa1c39a9000-7fa1c39c9000 r-xp 00000000 08:03 511931 /lib/ld-2.9.so
7fa1c3a65000-7fa1c3aa4000 r--p 00000000 08:03 24562 /usr/lib/locale/en_US.utf8/LC_CTYPE
7fa1c3aa4000-7fa1c3b91000 r--p 00000000 08:03 392251 /usr/lib/locale/en_US.utf8/LC_COLLATE
7fa1c3b91000-7fa1c3b94000 rw-p 00000000 00:00 0
7fa1c3bb4000-7fa1c3bb5000 r--p 00000000 08:03 11616 /usr/lib/locale/en_US.utf8/LC_NUMERIC
7fa1c3bb5000-7fa1c3bb6000 r--p 00000000 08:03 347498 /usr/lib/locale/en_US.utf8/LC_TIME
7fa1c3bb6000-7fa1c3bb7000 r--p 00000000 08:03 347499 /usr/lib/locale/en_US.utf8/LC_MONETARY
7fa1c3bb7000-7fa1c3bb8000 r--p 00000000 08:03 11594 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
7fa1c3bb8000-7fa1c3bb9000 r--p 00000000 08:03 11591 /usr/lib/locale/en_US.utf8/LC_PAPER
7fa1c3bb9000-7fa1c3bba000 r--p 00000000 08:03 11589 /usr/lib/locale/en_US.utf8/LC_NAME
7fa1c3bba000-7fa1c3bbb000 r--p 00000000 08:03 347500 /usr/lib/locale/en_US.utf8/LC_ADDRESS
7fa1c3bbb000-7fa1c3bbc000 r--p 00000000 08:03 347501 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
7fa1c3bbc000-7fa1c3bbd000 r--p 00000000 08:03 347502 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
7fa1c3bbd000-7fa1c3bc4000 r--s 00000000 08:03 306943 /usr/lib/gconv/gconv-modules.cache
7fa1c3bc4000-7fa1c3bc5000 r--p 00000000 08:03 347505 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7fa1c3bc5000-7fa1c3bc8000 rw-p 00000000 00:00 0
7fa1c3bc8000-7fa1c3bc9000 r--p 0001f000 08:03 511931 /lib/ld-2.9.so
7fa1c3bc9000-7fa1c3bca000 rw-p 00020000 08:03 511931 /lib/ld-2.9.so
7fff94450000-7fff94465000 rw-p 00000000 00:00 0 [stack]
7fff945ee000-7fff945ef000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted (core dumped)

On building xfstt from source, it gives the following warning:

In file included from /usr/include/string.h:428,
                 from xfstt.cc:55:
In function ‘char* strncpy(char*, const char*, size_t)’,
    inlined from ‘int ttSyncAll(int)’ at xfstt.cc:316:
/usr/include/bits/string3.h:122: warning: call to char* __builtin___strncpy_chk(char*, const char*, long unsigned int, long unsigned int) will always overflow destination buffer

The issue is quite obvious.

In src/xfstt.cc line 316, we have

   strncpy(info.magic, "TTFNINFO", 8);

but in src/xfstt.h line 53, we have

   char magic[4]; // == TTFN

It cores on strncpy'ing 8 into 4. Not sure if we have other systems that can do it, but it won't work on mine.

Version of libc6-dev is 2.9-20ubuntu2 (AMD64).

I may still have other issues in building the font database, but xfstt cores is the first obstacle.

Regards,
P. C.

Tags: patch
Revision history for this message
PCC (p-c-chan) wrote :

There is an issue in building the font database as well:

In src/xfstt,cc line 316:
       strncpy(info.magic, "TTFNINFO", 8);
        info.version = TTFN_VERSION;
        info.crc = 0; // XXX
        fwrite((void *)&info, 1, sizeof(info), infoFile);
        strncpy(info.type, "NAME", 4);
        fwrite((void *)&info, 1, sizeof(info), nameFile);

This would set the beginning of ttname.dir to TTFNINFONAME...

However in line 810:
        if (nameSize <= sizeof(TTFNheader)
            || strncmp(nameBase, "TTFNNAME", 8)) {
                error(_("corrupt font database!\n"));
                return 0;
        }

Hence it would always fail. Isn't it bad?

Revision history for this message
PCC (p-c-chan) wrote :

We could do this:
--- src/xfstt.cc 2005-11-02 20:53:15.000000000 -0500
+++ src/xfstt.cc.new 2009-07-22 12:44:24.000000000 -0400
@@ -313,9 +313,10 @@
        }

        TTFNheader info;
- strncpy(info.magic, "TTFNINFO", 8);
+ strncpy(info.magic, "TTFN", 4);
        info.version = TTFN_VERSION;
        info.crc = 0; // XXX
+ strncpy(info.type, "INFO", 4);
        fwrite((void *)&info, 1, sizeof(info), infoFile);
        strncpy(info.type, "NAME", 4);
        fwrite((void *)&info, 1, sizeof(info), nameFile);

but I am not sure how ttname.dir should look like.

Revision history for this message
PCC (p-c-chan) wrote :

I guess nobody cares about this any more.

Brian Murray (brian-murray)
tags: added: patch
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.