[gs-bugs] [Bug 691867] New: Buffer Overflow in xps_true_callback_glyph_name() using Verdana font
bugzilla-daemon at ghostscript.com
bugzilla-daemon at ghostscript.com
Wed Jan 5 18:23:34 UTC 2011
http://bugs.ghostscript.com/show_bug.cgi?id=691867
Summary: Buffer Overflow in xps_true_callback_glyph_name()
using Verdana font
Product: GhostXPS
Version: unspecified
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: normal
Priority: P4
Component: General
AssignedTo: tor.andersson at artifex.com
ReportedBy: lercher at singhammer.de
QAContact: gs-bugs at ghostscript.com
Estimated Hours: 0.0
Created an attachment (id=7088)
--> (http://bugs.ghostscript.com/attachment.cgi?id=7088)
xps file to reproduce the buffer overflow
Applies to ...\ghostpdl-9.00\xps\xpsttf.c
The original lines (line #179)
char buf[16];
sprintf(buf, "glyph%d", (int)glyph);
overflow the 16 bytes string buffer when glyph is 0xC0000000, which is a long
negative integer number in %d format.
Proposed change:
change %d to %#X
/* Format 1.0 (mac encoding) is a simple table see the TT spec.
* We don't implement this because we don't see it in practice.
* Format 2.5 is deprecated.
* Format 3.0 means that there is no post data in the font file.
* We see this a lot but can't do much about it.
* The only format we support is 2.0.
*/
if ( format != 0x20000 )
{
/* Invent a name if we don't know the table format. */
char buf[16];
>>> sprintf(buf, "glyph%#X", (int)glyph);
pstr->data = (byte*)buf;
pstr->size = strlen((char*)pstr->data);
return 0;
}
Possible side effect:
A different subsystem relies on the specified formatted glyph name, eg glyph32
which would now be glyph0X20 instead.
Sample command line to reproduce:
xps\debugobj\gxps.exe -sDEVICE=pdfwrite -sOutputFile=test.pdf -dNOPAUSE
tools\ieprint.xps
--
Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the gs-bugs
mailing list