xfstt crashes in lucid lynx

Bug #575026 reported by Erik Devriendt
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xfstt (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: xfstt

xfstt crashes when requesting its fonts list with fslsfonts.

fslsfonts -server unix/:7101

returns

FSIO: fatal IO error 32 (Broken pipe) on font server "unix/:7101"
      after 1 requests (0 known processed) with 0 events remaining.
      The connection was probably broken by a server shutdown.

When running xfstt in foreground and calling fslsfonts in another terminal we get:

# xfstt

*** buffer overflow detected ***: xfstt terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb89350]
/lib/tls/i686/cmov/libc.so.6(+0xe128a)[0xb8828a]
/lib/tls/i686/cmov/libc.so.6(+0xe09c8)[0xb879c8]
/lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0x9e)[0xb10afe]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0xe24)[0xae4a34]
/lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xad)[0xb87a7d]
/lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb879bd]
xfstt[0x804c657]
======= Memory map: ========
0015e000-0015f000 r-xp 00000000 00:00 0 [vdso]
00382000-003a6000 r-xp 00000000 08:01 69004 /lib/tls/i686/cmov/libm-2.11.1.so
003a6000-003a7000 r--p 00023000 08:01 69004 /lib/tls/i686/cmov/libm-2.11.1.so
003a7000-003a8000 rw-p 00024000 08:01 69004 /lib/tls/i686/cmov/libm-2.11.1.so
00713000-007fc000 r-xp 00000000 08:01 3341 /usr/lib/libstdc++.so.6.0.13
007fc000-007fd000 ---p 000e9000 08:01 3341 /usr/lib/libstdc++.so.6.0.13
007fd000-00801000 r--p 000e9000 08:01 3341 /usr/lib/libstdc++.so.6.0.13
00801000-00802000 rw-p 000ed000 08:01 3341 /usr/lib/libstdc++.so.6.0.13
00802000-00809000 rw-p 00000000 00:00 0
00a41000-00a5c000 r-xp 00000000 08:01 18487 /lib/ld-2.11.1.so
00a5c000-00a5d000 r--p 0001a000 08:01 18487 /lib/ld-2.11.1.so
00a5d000-00a5e000 rw-p 0001b000 08:01 18487 /lib/ld-2.11.1.so
00aa7000-00bfa000 r-xp 00000000 08:01 68966 /lib/tls/i686/cmov/libc-2.11.1.so
00bfa000-00bfb000 ---p 00153000 08:01 68966 /lib/tls/i686/cmov/libc-2.11.1.so
00bfb000-00bfd000 r--p 00153000 08:01 68966 /lib/tls/i686/cmov/libc-2.11.1.so
00bfd000-00bfe000 rw-p 00155000 08:01 68966 /lib/tls/i686/cmov/libc-2.11.1.so
00bfe000-00c01000 rw-p 00000000 00:00 0
00e4d000-00e6a000 r-xp 00000000 08:01 20481 /lib/libgcc_s.so.1
00e6a000-00e6b000 r--p 0001c000 08:01 20481 /lib/libgcc_s.so.1
00e6b000-00e6c000 rw-p 0001d000 08:01 20481 /lib/libgcc_s.so.1
08048000-08060000 r-xp 00000000 08:01 63034 /usr/bin/xfstt
08060000-08061000 r--p 00017000 08:01 63034 /usr/bin/xfstt
08061000-08062000 rw-p 00018000 08:01 63034 /usr/bin/xfstt
08062000-0806d000 rw-p 00000000 00:00 0
09186000-091a7000 rw-p 00000000 00:00 0 [heap]
b71fc000-b767e000 rw-p 00000000 00:00 0
b767e000-b7682000 r--s 00000000 08:01 65417 /var/cache/xfstt/ttname.dir
b7682000-b7683000 r--s 00000000 08:01 65376 /var/cache/xfstt/ttinfo.dir
b7683000-b76c2000 r--p 00000000 08:01 1738 /usr/lib/locale/en_US.utf8/LC_CTYPE
b76c2000-b76c3000 r--p 00000000 08:01 15159 /usr/lib/locale/en_US.utf8/LC_NUMERIC
b76c3000-b76c4000 r--p 00000000 08:01 9427 /usr/lib/locale/en_US.utf8/LC_TIME
b76c4000-b77e2000 r--p 00000000 08:01 2410 /usr/lib/locale/en_US.utf8/LC_COLLATE
b77e2000-b77e4000 rw-p 00000000 00:00 0
b77e4000-b77e5000 r--p 00000000 08:01 39615 /usr/lib/locale/en_US.utf8/LC_MONETARY
b77e5000-b77e6000 r--p 00000000 08:01 39616 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b77e6000-b77e7000 r--p 00000000 08:01 15095 /usr/lib/locale/en_US.utf8/LC_PAPER
b77e7000-b77e8000 r--p 00000000 08:01 15158 /usr/lib/locale/en_US.utf8/LC_NAME
b77e8000-b77e9000 r--p 00000000 08:01 42265 /usr/lib/locale/en_US.utf8/LC_ADDRESS
b77e9000-b77ea000 r--p 00000000 08:01 48946 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
b77ea000-b77eb000 r--p 00000000 08:01 15091 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
b77eb000-b77f2000 r--s 00000000 08:01 68543 /usr/lib/gconv/gconv-modules.cache
b77f2000-b77f3000 r--p 00000000 08:01 48959 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
b77f3000-b77f5000 rw-p 00000000 00:00 0
bfb9d000-bfbb2000 rw-p 00000000 00:00 0 [stack]

Revision history for this message
Erik Devriendt (erik-devriendt) wrote :

tThe buffer overflow reported by the fortify checks in sprintf is caused by the fact that the sprintf call on line 449 in xfstt.cc does not account for the terminating \0. The size of the target buffer fn.panose is exactly 20 bytes, and the code tries to write
20 chars + 1 terminating \0 into it.

I attached a patch fixing this problem.

Note that the source of xfstt in Debian sid (xfstt version 1.7-7) has the same problem.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.