freetype
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ft] Possible issue in FreeType

From: J Decker
Subject: Re: [ft] Possible issue in FreeType
Date: Wed, 27 May 2015 20:43:03 -0700


On Wed, May 27, 2015 at 3:44 PM, Guzman Mosqueda, Jose R <address@hidden> wrote:

Hi all

I'm Jose Guzman from a security team at Intel.
We're using freetype in a GNU-Linux project and I'm analyzing the code
to try to find possible issues/gaps/risks.
Since I'm not too familiar with the package yet I have a question about
one particular piece of code that could result in an invalid memory
segment read or stack fault.

Version: 2.5.5
File src/tools/apinames.c
Function: static void names_dump(...)
Line: ~186

In the case that the process flow executes code inside the "if"
statement at line 170: "if ( dot != NULL )", there is a line of code
where "dll_name" points to a local variable "temp" which becomes invalid
outside "if" block. So in the next for loop "dll_name" variable could
point to an invalid memory segment.

According to the standards, it should be invalid.  I have never seen a compiler that actually over-uses stack variables; or that expands the stack during a code block and collapses it at the end.  temp will always have it's own space that is unused if that code is never executed.  (it should be re-used by other stack variables that are in local code blocks).. but even if it was, there's no other code that would execute to corrupt it in this case.  Stack space for variables is also only allocated at the subroutine prefix code and deallocated at the suffix.... that is the stack wouldn't expand during that code block and collapse back (at least not in any compiler implementation I've seen)...

BUT; I also wouldn't trust that, and would recommend moving the declaration of the temp variable up a code block (where const char * dot is declared)
 
I really appreciate if anyone can address this question and tell me
whether is a real issue or not since you know much better the package
and can analyze the code deeply.

Thanks in advance,
-Jose G.


_______________________________________________
Freetype mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/freetype

reply via email to
[Prev in Thread] Current Thread [Next in Thread]