[Pkg-fonts-devel] Bug#550120: Found the problem
anakin at pobox.com
Wed Oct 14 19:17:32 UTC 2009
Aha. I've now managed to reproduce the problem in a debuggable
fontforge, and tracked it down.
The segfault occurs because fontforge calls a PLT entry (for
_IO_putc) with a bogus value in EBX (which should hold the GOT
address). This bogus value arises due to stack corruption in
svg_pathdump() in fontforge/svg.c. The stack corruption occurs due
to the sprintf statement on svg.c line 200, which has format string
"c%g %g %g %g %g %g" but which targets a fixed-size buffer 60 bytes
long. A float formatted using %g can easily be twelve characters
long (e.g. "-0.000123456"), so six of those with spaces in between
have no trouble overflowing the output buffer.
I attach a trivial patch to svg.c which made the problem go away for
me by simply expanding the buffer by a factor of ten.
Simon Tatham "I thought I'd put my foot so far into my mouth I
<anakin at pobox.com> wouldn't be able to sit down without standing up."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 407 bytes
Desc: not available
More information about the Pkg-fonts-devel