[Pkg-fonts-devel] Bug#1111767: sfnt2woff-zopfli: woff2sfnt and sfnt2woff blow stack on fopen error when given filenames longer than 179 bytes

наб nabijaczleweli at nabijaczleweli.xyz
Thu Aug 21 19:52:01 BST 2025 

Package: sfnt2woff-zopfli
Version: 1.3.1-2
Severity: normal
Tags: patch

Dear Maintainer,

  $ woff2sfnt //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////usr/share/fonts-font-awesome/fonts/fontawesome-webfont.woffa  > /dev/null
  *** buffer overflow detected ***: terminated
  Aborted
  $ valgrind woff2sfnt //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////usr/share/fonts-font-awesome/fonts/fontawesome-webfont.woffa  > /dev/null
  ==1115459== Memcheck, a memory error detector
  ==1115459== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
  ==1115459== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
  ==1115459== Command: woff2sfnt //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////usr/share/fonts-font-awesome/fonts/fontawesome-webfont.woffa
  ==1115459==
  *** buffer overflow detected ***: terminated
  ==1115459==
  ==1115459== Process terminating with default action of signal 6 (SIGABRT)
  ==1115459==    at 0x4926EEC: __pthread_kill_implementation (pthread_kill.c:44)
  ==1115459==    by 0x48D7FB1: raise (raise.c:26)
  ==1115459==    by 0x48C2471: abort (abort.c:79)
  ==1115459==    by 0x491B42E: __libc_message (libc_fatal.c:156)
  ==1115459==    by 0x49B41C1: __fortify_fail (fortify_fail.c:26)
  ==1115459==    by 0x49B2CCF: __chk_fail (chk_fail.c:28)
  ==1115459==    by 0x4914248: _IO_str_chk_overflow (iovsprintf.c:35)
  ==1115459==    by 0x491F1F0: _IO_default_xsputn (genops.c:399)
  ==1115459==    by 0x491F1F0: _IO_default_xsputn (genops.c:370)
  ==1115459==    by 0x48FA0FE: outstring_func (vfprintf-internal.c:239)
  ==1115459==    by 0x48FA0FE: __vfprintf_internal (vfprintf-process-arg.c:421)
  ==1115459==    by 0x49142F6: __vsprintf_internal (iovsprintf.c:96)
  ==1115459==    by 0x49B27EC: __sprintf_chk (sprintf_chk.c:40)
  ==1115459==    by 0x10B2B9: ??? (in /usr/bin/woff2sfnt-zopfli)
  ==1115459==
  ==1115459== HEAP SUMMARY:
  ==1115459==     in use at exit: 0 bytes in 0 blocks
  ==1115459==   total heap usage: 1 allocs, 1 frees, 472 bytes allocated
  ==1115459==
  ==1115459== All heap blocks were freed -- no leaks are possible
  ==1115459==
  ==1115459== For lists of detected and suppressed errors, rerun with: -s
  ==1115459== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
  Aborted

sfnt2woff and woff2sfnt both carry
  const uint8_t *
  readFile(const char * name, uint32_t * len)
  {
    FILE * inFile = fopen(name, "rb");
    if (!inFile) {
      char buf[200];
      sprintf(buf, "unable to open file %s", name);
      die(buf);
    }

Best,

-- System Information:
Debian Release: 12.11
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-35-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sfnt2woff-zopfli depends on:
ii  libc6       2.36-9+deb12u10
ii  libzopfli1  1.0.3-1
ii  zlib1g      1:1.2.13.dfsg-1

sfnt2woff-zopfli recommends no packages.

sfnt2woff-zopfli suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Deduplicate-die-reportErr-readFile.patch
Type: text/x-diff
Size: 3698 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-fonts-devel/attachments/20250821/f4ffcfd1/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Don-t-blow-stack-when-fopen-fails-with-179-byte-file.patch
Type: text/x-diff
Size: 1064 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-fonts-devel/attachments/20250821/f4ffcfd1/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-fonts-devel/attachments/20250821/f4ffcfd1/attachment.sig>

More information about the Pkg-fonts-devel mailing list