188 - FreeType 2.5.3 BDF parsing NULL pointer dereference in "_bdf_parse_glyphs" - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Nov 2014
Cc:	project-...@google.com
Fixed-2014-Nov-23 Deadline-90 CVE-2014-9660 Reported-2014-Nov-21 Severity-low CCProjectZeroMembers Product-FreeType Finder-mjurczyk

FreeType 2.5.3 BDF parsing NULL pointer dereference in "_bdf_parse_glyphs"

Project Member Reported by mjurczyk@google.com, Nov 21 2014

Back to list

The following NULL pointer dereference crash has been encountered in FreeType while fuzzing BDF fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are two POC files which trigger the condition.

ASAN:SIGSEGV
=================================================================
==8204==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000084e7af sp 0x7fffb35ceba0 bp 0x7fffb35cffb0 T0)
    #0 0x84e7ae in _bdf_parse_glyphs freetype2/src/bdf/bdflib.c:1789
    #1 0x82cf2b in _bdf_readstream freetype2/src/bdf/bdflib.c:787
    #2 0x820895 in bdf_load_font freetype2/src/bdf/bdflib.c:2404
    #3 0x813c7a in BDF_Face_Init freetype2/src/bdf/bdfdrivr.c:364
    #4 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #5 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #6 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #7 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #8 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV freetype2/src/bdf/bdflib.c:1789 _bdf_parse_glyphs
==8204==ABORTING

signal_sigsegv_83a1e9_8269_cov_107630157_lutBS14-ISO8859-1-20.bdf
27.4 KB Download

signal_sigsegv_83a1e9_6723_cov_1443223462_helvB12-ISO8859-1-17.bdf
24.1 KB Download

Project Member Comment 1 by mjurczyk@google.com, Nov 21 2014

Reported in https://savannah.nongnu.org/bugs/?43660.

Project Member Comment 2 by mjurczyk@google.com, Nov 23 2014

Status: Fixed

Fixed in http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=af8346172a7b573715134f7a51e6c5c60fa7f2ab.

Comment 3 by cevans@google.com, Jan 26 2015

Labels: -Restrict-View-Commit

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.

Project Member Comment 4 by mjurczyk@google.com, Feb 25 2015

Labels: CVE-2014-9660

Project Member Comment 5 by mjurczyk@google.com, Apr 20 2015

Labels: Fixed-2014-Nov-23

► Sign in to add a comment