|
|
FreeType 2.5.3 CFF CharString parsing heap-based buffer overflow in "cff_builder_add_point" | ||||
| Project Member Reported by mjurczyk@google.com, Nov 21 2014 | Back to list | ||||
The following heap-based out-of-bounds memory write has been encountered in FreeType while fuzzing OTF fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
$ ftbench <file>
Attached are three POC files which trigger the condition.
=================================================================
==5718==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4736a69780 at pc 0x741f52 bp 0x7fff23cea610 sp 0x7fff23cea608
WRITE of size 8 at 0x7f4736a69780 thread T0
#0 0x741f51 in cff_builder_add_point freetype2/src/cff/cffgload.c:504
#1 0x7409eb in cf2_builder_cubeTo freetype2/src/cff/cf2ft.c:197
#2 0x72977a in cf2_glyphpath_pushPrevElem freetype2/src/cff/cf2hints.c:1336
#3 0x70820a in cf2_glyphpath_curveTo freetype2/src/cff/cf2hints.c:1782
#4 0x6f0f5c in cf2_interpT2CharString freetype2/src/cff/cf2intrp.c:720
#5 0x6e8570 in cf2_getGlyphOutline freetype2/src/cff/cf2font.c:469
#6 0x6e4c5e in cf2_decoder_parse_charstrings freetype2/src/cff/cf2ft.c:367
#7 0x6da446 in cff_slot_load freetype2/src/cff/cffgload.c:2840
#8 0x69dbcc in cff_glyph_load freetype2/src/cff/cffdrivr.c:185
#9 0x4a427e in FT_Load_Glyph freetype2/src/base/ftobjs.c:726
#10 0x491d69 in test_load ft2demos-2.5.3/src/ftbench.c:249
#11 0x492b51 in benchmark ft2demos-2.5.3/src/ftbench.c:216
#12 0x48e962 in main ft2demos-2.5.3/src/ftbench.c:1020
0x7f4736a69780 is located 0 bytes to the right of 524160-byte region [0x7f47369e9800,0x7f4736a69780)
allocated by thread T0 here:
#0 0x47231b in realloc (ft2demos-2.5.3/bin/ftbench+0x47231b)
#1 0xaf2961 in ft_realloc freetype2/src/base/ftsystem.c:107
#2 0x5359a6 in ft_mem_qrealloc freetype2/src/base/ftutil.c:155
#3 0x4b1331 in ft_mem_realloc freetype2/src/base/ftutil.c:102
#4 0x4b2cfe in FT_GlyphLoader_CheckPoints freetype2/src/base/ftgloadr.c:225
#5 0x7417e6 in cff_check_points freetype2/src/cff/cffgload.c:472
#6 0x7408f1 in cf2_builder_cubeTo freetype2/src/cff/cf2ft.c:195
#7 0x72977a in cf2_glyphpath_pushPrevElem freetype2/src/cff/cf2hints.c:1336
#8 0x70820a in cf2_glyphpath_curveTo freetype2/src/cff/cf2hints.c:1782
#9 0x6f0f5c in cf2_interpT2CharString freetype2/src/cff/cf2intrp.c:720
#10 0x6e8570 in cf2_getGlyphOutline freetype2/src/cff/cf2font.c:469
#11 0x6e4c5e in cf2_decoder_parse_charstrings freetype2/src/cff/cf2ft.c:367
#12 0x6da446 in cff_slot_load freetype2/src/cff/cffgload.c:2840
#13 0x69dbcc in cff_glyph_load freetype2/src/cff/cffdrivr.c:185
#14 0x4a427e in FT_Load_Glyph freetype2/src/base/ftobjs.c:726
#15 0x491d69 in test_load ft2demos-2.5.3/src/ftbench.c:249
#16 0x492b51 in benchmark ft2demos-2.5.3/src/ftbench.c:216
#17 0x48e962 in main ft2demos-2.5.3/src/ftbench.c:1020
SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/cff/cffgload.c:504 cff_builder_add_point
Shadow bytes around the buggy address:
0x0fe966d452a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe966d452b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe966d452c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe966d452d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe966d452e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe966d452f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe966d45300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe966d45310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe966d45320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe966d45330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe966d45340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==5718==ABORTING
Project Member
Comment 1
by
mjurczyk@google.com,
Nov 21 2014
,
Nov 21 2014
Reported in https://savannah.nongnu.org/bugs/?43658.
,
Nov 23 2014
,
Jan 26 2015
All fixed by upstream: FreeType 2.5.5 2014-12-30 FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed. FreeType 2.5.4 2014-12-06 FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts. The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.
,
Feb 25 2015
,
Apr 20 2015
|
|||||
| ► Sign in to add a comment | |||||
