New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Dec 2014
Cc:



Sign in to add a comment
FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts"
Project Member Reported by mjurczyk@google.com, Dec 8 2014 Back to list
The following invalid free() condition has been encountered in FreeType while fuzzing Type42 fonts. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==1462==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x61b00001f70c in thread T0
    #0 0x472581 in __interceptor_free (ft2demos-2.5.3/bin/ftbench+0x472581)
    #1 0xafc208 in ft_free freetype2/src/base/ftsystem.c:130
    #2 0x4b0f50 in ft_mem_free freetype2/src/base/ftutil.c:172
    #3 0x536f3f in ft_mem_qrealloc freetype2/src/base/ftutil.c:135
    #4 0x4b1de1 in ft_mem_realloc freetype2/src/base/ftutil.c:102
    #5 0x7dc516 in t42_parse_sfnts freetype2/src/type42/t42parse.c:583
    #6 0x7cfe70 in t42_load_keyword freetype2/src/type42/t42parse.c:1012
    #7 0x7ce6b1 in t42_parse_dict freetype2/src/type42/t42parse.c:1159
    #8 0x7c8b42 in T42_Open_Face freetype2/src/type42/t42objs.c:63
    #9 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #10 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #11 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #12 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #13 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #14 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

0x61b00001f70c is located 1420 bytes inside of 1456-byte region [0x61b00001f180,0x61b00001f730)
allocated by thread T0 here:
    #0 0x4727a1 in malloc (ft2demos-2.5.3/bin/ftbench+0x4727a1)
    #1 0xafbcef in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x528311 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x4af8bf in ft_mem_alloc freetype2/src/base/ftutil.c:55
    #4 0x7cbc91 in t42_parser_init freetype2/src/type42/t42parse.c:206
    #5 0x7c897a in T42_Open_Face freetype2/src/type42/t42objs.c:56
    #6 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #7 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #8 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #9 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #10 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==1462==ABORTING

 
id%3A000000,sig%3A06,src%3A011260,op%3Ahavoc,rep%3A16
1.4 KB View Download
id%3A000000,sig%3A06,src%3A014021,op%3Ahavoc,rep%3A8
2.9 KB View Download
id%3A000001,sig%3A06,src%3A014021,op%3Ahavoc,rep%3A64
1.9 KB View Download
Project Member Comment 1 by mjurczyk@google.com, Dec 8 2014
Summary: FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts" (was: FreeType 2.5.3 Type42 parsing invalid free in "t42_parse_sfnts")
Reported in https://savannah.nongnu.org/bugs/?43776.
Comment 3 by cevans@google.com, Jan 26 2015
Labels: -Restrict-View-Commit
All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of PCF fonts should update, since version 2.5.4 introduced a bug that prevented reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie roadmap below, is auto-hinting support for Devanagari and Telugu, two widely used Indic scripts. A more detailed description of the remaining changes and fixes can be found here.


Project Member Comment 4 by mjurczyk@google.com, Apr 20 2015
Labels: Fixed-2014-Dec-15
Sign in to add a comment