oss-sec mailing list archives

suckless sent and libxft-dev 2.3.2-1 crash

From: "Simon ." <bofh666ftw () googlemail com>
Date: Mon, 16 Nov 2015 23:47:16 +0100

Hi,

please review, whether this needs a CVE.

Greetings
Simon
.

---------- Forwarded message ----------
From: "Simon ." <bofh666ftw () googlemail com>
Date: Mon, 16 Nov 2015 23:37:57 +0100
Subject: sent segfaults Xft
To: dev () suckless org

Hi,

installing "sent" failed for me. I needed to install libpng-dev + libxft-dev.
Running "sent" on some file:

simon@zachi3000:~/archive/sent$ file sent
sent: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32,
BuildID[sha1]=e3a0864f2be10dd5e1f749ed9443b8391d885c9b, not stripped
simon@zachi3000:~/archive/sent$ ls
arg.h         config.mk       drw.h    LICENSE   README.md  sent.o  util.o
config.def.h  core.9840.9840  drw.o    Makefile  sent       util.c
config.h      drw.c           example  nyan.png  sent.c     util.h
simon@zachi3000:~/archive/sent$ ./sent /etc/passwd
Segmentation fault (core dumped)
simon@zachi3000:~/archive/sent$ gdb -q sent
Reading symbols from sent...done.
(gdb) r /etc/passwd
Starting program: /home/sk/archive/sent/sent /etc/passwd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff74ff660 in XftCharExists ()
   from /usr/lib/x86_64-linux-gnu/libXft.so.2
(gdb) l
655                             shortcuts[i].func(&(shortcuts[i].arg));
656     }
657     
658     void configure(XEvent *e)
659     {
660             resize(e->xconfigure.width, e->xconfigure.height);
661             if (slides[idx].img)
662                     slides[idx].img->state &= ~(DRAWN | SCALED);
663             xdraw();
664     }
(gdb) disas 0x7ffff74ff660
Dump of assembler code for function XftCharExists:
=> 0x00007ffff74ff660 <+0>:     mov    0x10(%rsi),%rdi
   0x00007ffff74ff664 <+4>:     test   %rdi,%rdi
   0x00007ffff74ff667 <+7>:     je     0x7ffff74ff670 <XftCharExists+16>
   0x00007ffff74ff669 <+9>:     mov    %edx,%esi
   0x00007ffff74ff66b <+11>:    jmpq   0x7ffff74f5dc0 <FcCharSetHasChar@plt>
   0x00007ffff74ff670 <+16>:    xor    %eax,%eax
   0x00007ffff74ff672 <+18>:    retq
End of assembler dump.


Can anyone else reproduce?

Greetings
Simon
.

Current thread:

suckless sent and libxft-dev 2.3.2-1 crash Simon . (Nov 16)
- Re: suckless sent and libxft-dev 2.3.2-1 crash Tim (Nov 16)
- Re: suckless sent and libxft-dev 2.3.2-1 crash Agostino Sarubbo (Nov 17)
- Re: suckless sent and libxft-dev 2.3.2-1 crash Alan Coopersmith (Nov 17)