|
|
FreeType 2.5.3 Type42 parsing use-after-free in "FT_Stream_TryRead" (embedded BDF loading) | ||||||
| Project Member Reported by mjurczyk@google.com, Nov 21 2014 | Back to list | ||||||
The following use-after-free condition has been encountered in FreeType while fuzzing Type42 fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
$ ftbench <file>
Attached is a POC file which triggers the condition.
=================================================================
==6948==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f00000f07f at pc 0x524983 bp 0x7fffecb369f0 sp 0x7fffecb369e8
READ of size 2048 at 0x61f00000f07f thread T0
#0 0x524982 in FT_Stream_TryRead freetype2/src/base/ftstream.c:182
#1 0x82b879 in _bdf_readstream freetype2/src/bdf/bdflib.c:716
#2 0x820895 in bdf_load_font freetype2/src/bdf/bdflib.c:2404
#3 0x813c7a in BDF_Face_Init freetype2/src/bdf/bdfdrivr.c:364
#4 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
#5 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
#6 0x7bc3ab in T42_Face_Init freetype2/src/type42/t42objs.c:300
#7 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
#8 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
#9 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
#10 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
#11 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924
0x61f00000f07f is located 511 bytes inside of 3072-byte region [0x61f00000ee80,0x61f00000fa80)
freed by thread T0 here:
#0 0x471e61 in free (ft2demos-2.5.3/bin/ftbench+0x471e61)
#1 0xaf2b78 in ft_free freetype2/src/base/ftsystem.c:130
#2 0x4b04a0 in ft_mem_free freetype2/src/base/ftutil.c:172
#3 0xa9c898 in ps_table_release freetype2/src/psaux/psobjs.c:271
#4 0x7cb3a3 in t42_loader_done freetype2/src/type42/t42parse.c:1203
#5 0x7c6aa5 in T42_Open_Face freetype2/src/type42/t42objs.c:149
#6 0x7ba9ab in T42_Face_Init freetype2/src/type42/t42objs.c:196
#7 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
#8 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
#9 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
#10 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
#11 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924
previously allocated by thread T0 here:
#0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
#1 0xaf265f in ft_alloc freetype2/src/base/ftsystem.c:74
#2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
#3 0x4aee0f in ft_mem_alloc freetype2/src/base/ftutil.c:55
#4 0xae4c19 in reallocate_t1_table freetype2/src/psaux/psobjs.c:125
#5 0xa9bc38 in ps_table_add freetype2/src/psaux/psobjs.c:205
#6 0x7d0e34 in t42_parse_encoding freetype2/src/type42/t42parse.c:450
#7 0x7cc130 in t42_load_keyword freetype2/src/type42/t42parse.c:1007
#8 0x7ca971 in t42_parse_dict freetype2/src/type42/t42parse.c:1154
#9 0x7c4df8 in T42_Open_Face freetype2/src/type42/t42objs.c:57
#10 0x7ba9ab in T42_Face_Init freetype2/src/type42/t42objs.c:196
#11 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
#12 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
#13 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
#14 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
#15 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924
SUMMARY: AddressSanitizer: heap-use-after-free freetype2/src/base/ftstream.c:182 FT_Stream_TryRead
Shadow bytes around the buggy address:
0x0c3e7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff9dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff9de0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff9df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3e7fff9e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c3e7fff9e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff9e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==6948==ABORTING
Project Member
Comment 1
by
mjurczyk@google.com,
Nov 21 2014
,
Nov 22 2014
,
Jan 26 2015
All fixed by upstream: FreeType 2.5.5 2014-12-30 FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed. FreeType 2.5.4 2014-12-06 FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts. The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.
,
Feb 25 2015
,
Apr 20 2015
,
Nov 15 2015
The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. http://www.wdfshare.com |
|||||||
| ► Sign in to add a comment | |||||||
