194 - FreeType 2.5.3 SFNT kern parsing out-of-bounds read in "tt_face_load_kern" - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Nov 2014
Cc:	project-...@google.com
Deadline-90 Fixed-2014-Nov-24 CVE-2014-9658 CCProjectZeroMembers Reported-2014-Nov-23 Product-FreeType Finder-mjurczyk Severity-Low

FreeType 2.5.3 SFNT kern parsing out-of-bounds read in "tt_face_load_kern"

Project Member Reported by mjurczyk@google.com, Nov 23 2014

Back to list

The following heap-based out-of-bounds memory read has been encountered in FreeType while fuzzing TrueType fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached is a POC file which triggers the condition.

=================================================================
==8289==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400000dd92 at pc 0x8b5338 bp 0x7fffab13c8b0 sp 0x7fffab13c8a8
READ of size 1 at 0x62400000dd92 thread T0
    #0 0x8b5337 in tt_face_load_kern freetype2/src/sfnt/ttkern.c:141
    #1 0x8a5048 in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1166
    #2 0x55f099 in tt_face_init freetype2/src/truetype/ttobjs.c:563
    #3 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #4 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #5 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #6 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #7 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

0x62400000dd92 is located 0 bytes to the right of 7314-byte region [0x62400000c100,0x62400000dd92)
allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf3a2f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x525591 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:267
    #4 0x524d51 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200
    #5 0x8b3a93 in tt_face_load_kern freetype2/src/sfnt/ttkern.c:68
    #6 0x8a5048 in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1166
    #7 0x55f099 in tt_face_init freetype2/src/truetype/ttobjs.c:563
    #8 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #9 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #10 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #11 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #12 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttkern.c:141 tt_face_load_kern
Shadow bytes around the buggy address:
  0x0c487fff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff9b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff9b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff9ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c487fff9bb0: 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==8289==ABORTING

asan_heap-oob_8b5338_9123_rehearso.ttf
30.5 KB Download

Project Member Comment 1 by mjurczyk@google.com, Nov 23 2014

Reported in https://savannah.nongnu.org/bugs/?43672.

Project Member Comment 2 by mjurczyk@google.com, Nov 24 2014

Status: Fixed

Fixed in http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c.

Comment 3 by cevans@google.com, Jan 26 2015

Labels: -Restrict-View-Commit

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.

Project Member Comment 4 by mjurczyk@google.com, Feb 25 2015

Labels: CVE-2014-9658

Project Member Comment 5 by mjurczyk@google.com, Apr 20 2015

Labels: Fixed-2014-Nov-24

Comment 6 Deleted

► Sign in to add a comment