The following heap-based out-of-bounds memory read has been encountered in FreeType while fuzzing OpenType fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached is a POC file which triggers the condition.

=================================================================
==12771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000bf76 at pc 0x8ccd60 bp 0x7fff465de830 sp 0x7fff465de828
READ of size 1 at 0x60800000bf76 thread T0
    #0 0x8ccd5f in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1178
    #1 0x8b7f2d in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1412
    #2 0x6d6c3a in cff_slot_load freetype2/src/cff/cffgload.c:2670
    #3 0x69dbcc in cff_glyph_load freetype2/src/cff/cffdrivr.c:185
    #4 0x4a427e in FT_Load_Glyph freetype2/src/base/ftobjs.c:726
    #5 0x491d69 in test_load ft2demos-2.5.3/src/ftbench.c:249
    #6 0x492b51 in benchmark ft2demos-2.5.3/src/ftbench.c:216
    #7 0x48e962 in main ft2demos-2.5.3/src/ftbench.c:1020

0x60800000bf76 is located 2 bytes to the right of 84-byte region [0x60800000bf20,0x60800000bf74)
allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf3a2f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x525591 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:267
    #4 0x524d51 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200
    #5 0x8c01f1 in tt_face_load_sbit freetype2/src/sfnt/ttsbit.c:97
    #6 0x8a44b2 in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1142
    #7 0x691bce in cff_face_init freetype2/src/cff/cffobjs.c:543
    #8 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #9 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #10 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #11 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #12 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:1178 tt_sbit_decoder_load_image
Shadow bytes around the buggy address:
  0x0c107fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff97e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[04]fa
  0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==12771==ABORTING


 

asan_heap-oob_8ccd60_1920_8941960742942786251.bin 31.9 KB Download