search

StefanKubsch / stb_truetype.hpp

The famous stb_truetype.h library, stripped down and converted to C++
The Unlicense
3 stars 1 forks source link

Interest in resolving CVE issues from original stb_truetype.h? #2

Open starseeker opened 3 months ago

starseeker commented 3 months ago

Hi! I came across your C++ conversion of stb_truetype, and I was wondering if you might have interest in resolving some of the design issues that prompted the original CVEs associated with the parent code? I've gotten them wired up for testing here: https://github.com/starseeker/struetype and I just set up your stb_truetype.hpp to try out the same tests, and it looks (unsurprisingly) like the same issues are still present:

      Start  1: CVE-2020-6617
 1/10 Test  #1: CVE-2020-6617 ....................***Exception: SegFault  0.08 sec
      Start  2: CVE-2020-6618
 2/10 Test  #2: CVE-2020-6618 ....................***Exception: SegFault  0.08 sec
      Start  3: CVE-2020-6619
 3/10 Test  #3: CVE-2020-6619 ....................***Exception: SegFault  0.08 sec
      Start  4: CVE-2020-6620
 4/10 Test  #4: CVE-2020-6620 ....................***Failed    0.24 sec
      Start  5: CVE-2020-6621
 5/10 Test  #5: CVE-2020-6621 ....................***Exception: SegFault  0.08 sec
      Start  6: CVE-2020-6622
 6/10 Test  #6: CVE-2020-6622 ....................***Failed    0.24 sec
      Start  7: CVE-2020-6623
 7/10 Test  #7: CVE-2020-6623 ....................***Exception: SegFault  0.08 sec
      Start  8: CVE-2022-25514
 8/10 Test  #8: CVE-2022-25514 ...................***Exception: SegFault  0.09 sec
      Start  9: CVE-2022-25515
 9/10 Test  #9: CVE-2022-25515 ...................***Exception: SegFault  0.08 sec
      Start 10: CVE-2022-25516
10/10 Test #10: CVE-2022-25516 ...................***Failed    0.09 sec

I was wondering if it might be easier to address them in a C++ context...

StefanKubsch commented 3 months ago

Hi there, I´m currently pretty busy, but I´ll try to have a look at this in the next time. I really don´t know if it can be fixed, but it´s well worth a try!

starseeker commented 3 months ago

If I understand correctly the fundamental issue, information about the original file/buffer size would need to be passed down the functions and used to validate offset calculations. It would be an API change from the original stb_truetype, but since stb_truetype.hpp is already going to C++ and trimming down to a core functionality I thought it might be a simpler change to make here (and give stb_truetype.hpp a potential use case where the original isn't practical ;-) )