|
|
FreeType 2.5.3 SFNT parsing integer overflows | |||
| Project Member Reported by mjurczyk@google.com, Nov 12 2014 | Back to list | |||
In the freetype/src/sfnt/ttload.c file responsible for handling SFNT tables, there are potential integer overflow conditions in the following code snippets:
209: /* we ignore invalid tables */
210: if ( table.Offset + table.Length > stream->size )
211: {
212: FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
213: continue;
214: }
215: else
216: valid_entries++;
and
397: /* ignore invalid tables */
398: if ( entry->Offset + entry->Length > stream->size )
399: continue;
400: else
401: {
402: FT_TRACE2(( " %c%c%c%c %08lx %08lx %08lx\n",
403: (FT_Char)( entry->Tag >> 24 ),
404: (FT_Char)( entry->Tag >> 16 ),
405: (FT_Char)( entry->Tag >> 8 ),
406: (FT_Char)( entry->Tag ),
407: entry->Offset,
408: entry->Length,
409: entry->CheckSum ));
410: entry++;
411: }
Since both "Offset" and "Length" fields are fully controlled 32-bit unsigned integers, their sum can overflow the integer ranges on 32-bit builds of FreeType, effectively bypassing the sanity above checks.
The full consequence of not correctly filtering out such malformed tables is not fully understood; we assume, however, that the worst that could happen as a result of this issue is an out-of-bounds read from the table of an allegedly enormous size (while in reality much smaller). We believe installing proper bounds checking should be a good defense-in-depth measure to prevent further bugs related to such bogus table headers.
Project Member
Comment 1
by
mjurczyk@google.com,
Nov 12 2014
,
Nov 13 2014
,
Jan 26 2015
All fixed by upstream: FreeType 2.5.5 2014-12-30 FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed. FreeType 2.5.4 2014-12-06 FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts. The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.
,
Feb 25 2015
,
Apr 20 2015
|
||||
| ► Sign in to add a comment | ||||