I'm disinclined to unilaterally assign a CVE here:

- ftgrid doesn't feel like it's useful beyond freetype developers -- try
it out for yourself on a font on your system. (For me, quite a lot of
the window space is filled with the previous contents of the screen, but
perhaps if you're not running a tiling window manager the window will be
the exact required size. What's left doesn't look like it's end-user or
even font-designer oriented.)

- I don't think the linked patches completely address the undefined
behavior due to signed integer overflows:


typedef struct grBitmap_
  {
    int             rows;
    int             width;
    int             pitch;
    grPixelMode     mode;
    int             grays;
    unsigned char*  buffer;
  } grBitmap;


  static void
  bitmap_scale( GridStatus  st,
                grBitmap*   bit,
                int         scale )
  {
    unsigned char*  s = bit->buffer;
    unsigned char*  line;
    int             pitch;
    int             width;
    int             i, j, k;
    pitch = bit->pitch > 0 ?  bit->pitch
                           : -bit->pitch;
    width = bit->width;
    /* limit bitmap size */
    if ( pitch * scale <= 0xFFFF && bit->rows * scale <= 0xFFFF )
      line = (unsigned char*)malloc( (size_t)( pitch * bit->rows *
                                               scale * scale ) );
    else
      line = NULL;


What happens if pitch * scale or bit->rows * scale cause an integer overflow 
and the compiler emits code that causes the result to become negative? Or the 
compiler omits the code entirely, because signed integer overflow is undefined? 
All these values are signed integers and I can't quickly spot code that would 
limit these to suitable values.

I don't see any security value in debugging this demo program. If
upstream disagrees and thinks this deserves a CVE, I won't stand in
their way, but I also don't think assigning one here would encourage
them to care about the CVE process.

Fixing one specific integer overflow while ignoring two more on the
previous line doesn't feel productive.

If you, dear reader, actually care about this specific program, I
encourage a few steps to explore it further:

- build it with -fsanitize=undefined and fuzz it. I bet there's dozens more of 
these errors.
- build it with -fsanitize=address and fuzz it. I bet there's a few more of 
these errors.
- submit the project to scan.coverity.com. Unless Coverity is already part of 
the workflow, it'll probably find dozens of flaws, some of which will represent 
real bugs reachable by maliciously built fonts or operating users or other X 
clients or the X server.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059852

Title:
  Invalid free called during libfreetype FT_Done_Glyph

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2059852/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to