[gs-bugs] [Bug 691867] New: Buffer Overflow in xps_true_callback_glyph_name() using Verdana font

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Wed Jan 5 18:23:34 UTC 2011


           Summary: Buffer Overflow in xps_true_callback_glyph_name()
                    using Verdana font
           Product: GhostXPS
           Version: unspecified
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: normal
          Priority: P4
         Component: General
        AssignedTo: tor.andersson at artifex.com
        ReportedBy: lercher at singhammer.de
         QAContact: gs-bugs at ghostscript.com
   Estimated Hours: 0.0

Created an attachment (id=7088)
 --> (http://bugs.ghostscript.com/attachment.cgi?id=7088)
xps file to reproduce the buffer overflow

Applies to ...\ghostpdl-9.00\xps\xpsttf.c

The original lines (line #179)

  char buf[16];
  sprintf(buf, "glyph%d", (int)glyph);

overflow the 16 bytes string buffer when glyph is 0xC0000000, which is a long
negative integer number in %d format.

Proposed change: 
change %d to %#X

    /* Format 1.0 (mac encoding) is a simple table see the TT spec.
     * We don't implement this because we don't see it in practice.
     * Format 2.5 is deprecated.
     * Format 3.0 means that there is no post data in the font file.
     * We see this a lot but can't do much about it.
     * The only format we support is 2.0.
    if ( format != 0x20000 )
        /* Invent a name if we don't know the table format. */
        char buf[16];
>>>	sprintf(buf, "glyph%#X", (int)glyph);
        pstr->data = (byte*)buf;
        pstr->size = strlen((char*)pstr->data);
        return 0;

Possible side effect: 
A different subsystem relies on the specified formatted glyph name, eg glyph32
which would now be glyph0X20 instead.

Sample command line to reproduce:
xps\debugobj\gxps.exe -sDEVICE=pdfwrite -sOutputFile=test.pdf -dNOPAUSE

Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the gs-bugs mailing list