The following heap-based out-of-bounds memory read has been encountered in FreeType while fuzzing Type42 fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==5849==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000e3bf at pc 0xa9c3ec bp 0x7fff3b0c6570 sp 0x7fff3b0c6568
READ of size 2 at 0x63000000e3bf thread T0
    #0 0xa9c3eb in ps_table_add freetype2/src/psaux/psobjs.c:216
    #1 0x7d4b41 in t42_parse_charstrings freetype2/src/type42/t42parse.c:871
    #2 0x7cc130 in t42_load_keyword freetype2/src/type42/t42parse.c:1007
    #3 0x7ca971 in t42_parse_dict freetype2/src/type42/t42parse.c:1154
    #4 0x7c4df8 in T42_Open_Face freetype2/src/type42/t42objs.c:57
    #5 0x7ba9ab in T42_Face_Init freetype2/src/type42/t42objs.c:196
    #6 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #7 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #8 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #9 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #10 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

0x63000000e3bf is located 0 bytes to the right of 57279-byte region [0x630000000400,0x63000000e3bf)
allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf265f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x4aee0f in ft_mem_alloc freetype2/src/base/ftutil.c:55
    #4 0x7c7f51 in t42_parser_init freetype2/src/type42/t42parse.c:206
    #5 0x7c4c30 in T42_Open_Face freetype2/src/type42/t42objs.c:50
    #6 0x7ba9ab in T42_Face_Init freetype2/src/type42/t42objs.c:196
    #7 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #8 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #9 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #10 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/psaux/psobjs.c:216 ps_table_add
Shadow bytes around the buggy address:
  0x0c607fff9c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c607fff9c70: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
  0x0c607fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5849==ABORTING

 

asan_heap-oob_a767ee_5407_cov_532226128_ecliptic.t42 35.3 KB Download

asan_heap-oob_a767ee_3271_cov_3357614757_bobcaygr.t42 31.4 KB Download

asan_heap-oob_a767ee_2737_cov_3928323887_aspartam.t42 55.9 KB Download