Thorsten Glaser wrote:
> Hello,
>
> I first detected this on MirOS but after a phone call with a friend
> running OpenBSD on his laptop, he could verify this works for him too.
>
> Download http://switch.dl.sourceforge.net/sou...en-1.1.ttf.zip
> (a free "as in GNU" decorative font)
>
> For reference, here's the checksum:
> RMD160 (DarkGardenMK.ttf) = 8058fae7a1d284274bc0b3d0ddb0af879696d971
>
> Put that into a separate directory, for example like this:
>
> $ mkdir /tmp/x
> $ cd /tmp/x
> $ ftp http://switch.dl.sourceforge.net/sou...en-1.1.ttf.zip
> $ unzip -j darkgarden-1.1.ttf.zip darkgarden-1.1/DarkGardenMK.ttf
> $ mkfontscale
> $ mkfontdir
>
> After this, the command 'cat fonts.dir' should output the following:
> 1
> DarkGardenMK.ttf -misc-dark garden-medium-r-normal--0-0-0-0-p-0-iso10646-1
>
> $ xset +fp /tmp/x
> $ xset fp rehash
> $ xlsfonts | fgrep dark
>
> Check if it's there.
>
> $ xterm -fn '-misc-dark garden-medium-r-normal--0-0-0-0-p-0-iso10646-1
>
> Voil`, X just crashed. Find one of the following in /var/log/messages:
>
> Jul 1 21:18:26 odem X: stack overflow in function FreeTypeLoadXFont
> Jul 1 21:18:26 odem /bsd: signal 6 received by (XFree86:11539) UID(2999) EUID(2999), parent (xinit:28405) UID(2999) EUID(2999)
>
> Jul 2 00:48:08 hydrogenium X: stack overflow in function FreeTypeAddProp
>
> Sorry, the last line is cropped, thanks to a crashed X, unwilling
> mouse after restart, and IRC...
>
> Now, if you install the font via fontconfig, the command
> $ xterm -fa Dark\ Garden
> works, displays a nice xterm with a not so nice width and an
> interesting illegible font, but doesn't crash a thing. Thus,
> libfreetype is working fine, but libXfont isn't.
>
> The stuff is in XF4/xc/lib/font/FreeType/module/ (I haven't
> tested whether libXfont.so.*, built from xc/lib/font/FreeType,
> is affected too, because I don't know how to use xfs, and other
> than that, nothing appears to use it.) and I haven't got a
> clue what's going on. (Especially since in that ancient XF86
> code I'm using, the FreeTypeLoadXFont function doesn't have
> any char array, and no function beginning with FreeTypeAddProp
> exists.)
>
> On my box, this is true for freetype 2.1.8 and 2.2.1, with
> either mmap malloc or brk malloc; on 'hydrogenium', there's
> an OpenBSD/i386 3.9-current of two weeks or so ago running.
> That's a Thinkpad.
>
> Maybe there's indeed something exploitable for "the rest of
> the world" where propolice saved us again?
>
> bye,
> //mirabile

It appears that the Freetype interface code in libXfont fails to
nul-terminate strings when they get truncated in FTu2a() (and also in
FtGetEnglishName()). The attached patch fixes that.
The Dark Garden font still fails to load as a server-side font, but now
it properly returns an error to the client

Index: fttools.c
================================================== =================
RCS file: /cvs/OpenBSD/XF4/xc/lib/font/FreeType/fttools.c,v
retrieving revision 1.5
diff -u -r1.5 fttools.c
--- fttools.c 1 Jan 2006 15:32:11 -0000 1.5
+++ fttools.c 2 Jul 2006 16:53:17 -0000
@@ -77,7 +77,7 @@

n = 0;
for (i = 0; i < slen; i += 2) {
- if(n >= max)
+ if(n >= max - 1)
break;
if(HIBYTE(from+i, byte)!=0)
*to++='?';
@@ -143,9 +143,10 @@
/* Pretend that Apple Roman is ISO 8859-1. */
if(FTGetName(face, nid, TT_PLATFORM_MACINTOSH, TT_MAC_ID_ROMAN,
&name)) {
len = name.string_len;
- if(len > name_len)
- len = name_len;
+ if(len > name_len - 1)
+ len = name_len - 1;
memcpy(name_return, name.string, len);
+ name_return[len] = '\0'; /* ensure nul terminaison */
return len;
}

I'm reporting this back to X.Org.
--
Matthieu Herrb