New issue
Advanced search Search tips
Issue 158
Starred by 2 users
Status: Fixed
Owner:
mjurczyk@google.com
Closed: Nov 2014
Cc:
project-...@google.com



Sign in to add a comment
 FreeType 2.5.3 PCF parsing NULL pointer dereference due to 32-bit integer overflow
Project Member Reported by mjurczyk@google.com, Nov 6 2014 Back to list 
In freetype/src/pcf/pcfread.c, the following code is found:

    int           firstCol, lastCol;
    int           firstRow, lastRow;
    int           nencoding, encodingOffset;
    int           i, j, k;
...
      firstCol          = FT_GET_SHORT();
      lastCol           = FT_GET_SHORT();
      firstRow          = FT_GET_SHORT();
      lastRow           = FT_GET_SHORT();
      face->defaultChar = FT_GET_SHORT();
...
    nencoding = ( lastCol - firstCol + 1 ) * ( lastRow - firstRow + 1 );

    if ( FT_NEW_ARRAY( encoding, nencoding ) )
      return FT_THROW( Out_Of_Memory );
...
    for ( i = firstRow; i <= lastRow; i++ )
    {
      for ( j = firstCol; j <= lastCol; j++ )
      {
        // Load data into the "encoding" array.

Since the "firstCol", "lastCol", "firstRow", "lastRow" variables are all controlled from the input file, if we set them respectively to:

firstCol = -32768
lastCol = 32767
firstRow = -32768
lastRow = 32767

Then the 32-bit variable will overflow as a result of a "65536 * 65536" multiplication, and will become 0. This will lead to the allocator initializing the "encoding" pointer with NULL; the pointer will later be used to write data to, resulting in a NULL pointer dereference and an application crash:

ASAN:SIGSEGV
=================================================================
==1143== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0xf6091fe9 sp 0xff819ab0 bp 0xff819bf8 T0)
AddressSanitizer can not provide additional info.
    #0 0xf6091fe8 in pcf_get_encodings freetype2/src/pcf/pcfread.c:841
    #1 0xf6093a49 in pcf_load_font freetype2/src/pcf/pcfread.c:1134
    #2 0xf6095826 in PCF_Face_Init freetype2/src/pcf/pcfdrivr.c:274
    #3 0xf5f9f1d7 in open_face freetype2/src/base/ftobjs.c:1191
    #4 0xf5fa27ea in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #5 0xf5f9f4ff in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #6 0x804b5a8 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #7 0x804bc64 in main ft2demos-2.5.3/src/ftbench.c:924
SUMMARY: AddressSanitizer: SEGV freetype2/src/pcf/pcfread.c:841 pcf_get_encodings
==1143== ABORTING

The attached "poc.pcf" sample can be used to reproduce the behavior.
poc.pcf
9.0 KB Download
Project Member Comment 1 by mjurczyk@google.com, Nov 6 2014 
Reported in https://savannah.nongnu.org/bugs/?43548.
Comment 3 by cevans@google.com, Jan 26 2015
Labels: -Restrict-View-Commit
All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.
Project Member Comment 4 by mjurczyk@google.com, Feb 25 2015
Labels: CVE-2014-9670
Project Member Comment 5 by mjurczyk@google.com, Apr 20 2015
Labels: Fixed-2014-Nov-7
Sign in to add a comment