211 - FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts" - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Dec 2014
Cc:	project-...@google.com
Deadline-90 Fixed-2014-Dec-15 Fixed-2014-Dec-11 CCProjectZeroMembers Severity-High Product-FreeType Reported-2014-Dec-8 Finder-mjurczyk

FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts"

Project Member Reported by mjurczyk@google.com, Dec 8 2014

Back to list

The following invalid free() condition has been encountered in FreeType while fuzzing Type42 fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==1462==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x61b00001f70c in thread T0
    #0 0x472581 in __interceptor_free (ft2demos-2.5.3/bin/ftbench+0x472581)
    #1 0xafc208 in ft_free freetype2/src/base/ftsystem.c:130
    #2 0x4b0f50 in ft_mem_free freetype2/src/base/ftutil.c:172
    #3 0x536f3f in ft_mem_qrealloc freetype2/src/base/ftutil.c:135
    #4 0x4b1de1 in ft_mem_realloc freetype2/src/base/ftutil.c:102
    #5 0x7dc516 in t42_parse_sfnts freetype2/src/type42/t42parse.c:583
    #6 0x7cfe70 in t42_load_keyword freetype2/src/type42/t42parse.c:1012
    #7 0x7ce6b1 in t42_parse_dict freetype2/src/type42/t42parse.c:1159
    #8 0x7c8b42 in T42_Open_Face freetype2/src/type42/t42objs.c:63
    #9 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #10 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #11 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #12 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #13 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #14 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

0x61b00001f70c is located 1420 bytes inside of 1456-byte region [0x61b00001f180,0x61b00001f730)
allocated by thread T0 here:
    #0 0x4727a1 in malloc (ft2demos-2.5.3/bin/ftbench+0x4727a1)
    #1 0xafbcef in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x528311 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x4af8bf in ft_mem_alloc freetype2/src/base/ftutil.c:55
    #4 0x7cbc91 in t42_parser_init freetype2/src/type42/t42parse.c:206
    #5 0x7c897a in T42_Open_Face freetype2/src/type42/t42objs.c:56
    #6 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #7 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #8 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #9 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #10 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==1462==ABORTING

id%3A000000,sig%3A06,src%3A011260,op%3Ahavoc,rep%3A16
1.4 KB View Download

id%3A000000,sig%3A06,src%3A014021,op%3Ahavoc,rep%3A8
2.9 KB View Download

id%3A000001,sig%3A06,src%3A014021,op%3Ahavoc,rep%3A64
1.9 KB View Download

Project Member Comment 1 by mjurczyk@google.com, Dec 8 2014

Summary: FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts" (was: FreeType 2.5.3 Type42 parsing invalid free in "t42_parse_sfnts")

Reported in https://savannah.nongnu.org/bugs/?43776.

Project Member Comment 2 by mjurczyk@google.com, Dec 15 2014

Labels: Fixed-2014-Dec-11
Status: Fixed

Fixed in http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b94381134efd41c6885d38e08d14106feec7284b, http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c9ca6ffc9442b4b127f948e2d993454aa7791e59 and http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=812ed3418969a013fce68c3884f7f8fc23c6b4bf.

Comment 3 by cevans@google.com, Jan 26 2015

Labels: -Restrict-View-Commit

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.

Project Member Comment 4 by mjurczyk@google.com, Apr 20 2015

Labels: Fixed-2014-Dec-15

► Sign in to add a comment