search

codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

FreeType 2.5.3 SFNT parsing multiple out-of-bounds reads due to integer overflows in "cmap" table handling #163

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
In the freetype/src/sfnt/ttcmap.c file, we can find functions responsible for 
handling the "cmap" SFNT table 
(http://www.microsoft.com/typography/otspec/cmap.htm) in different formats (0, 
2, 4, 6, 8, 10, 12, 13, 14). Multiple integer overflow conditions exist in the 
code if it is compiled for 32-bit architectures (i.e. when sizeof(long) = 4), 
see:

--------------------------------------------------------------------------------
--------------
1670:    num_groups = TT_NEXT_ULONG( p );
1671:
1672:    if ( p + num_groups * 12 > valid->limit )
1673:      FT_INVALID_TOO_SHORT;
--------------------------------------------------------------------------------
--------------
1685:        start    = TT_NEXT_ULONG( p );
1686:        end      = TT_NEXT_ULONG( p );
1687:        start_id = TT_NEXT_ULONG( p );
...
1697:          if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
1698:            FT_INVALID_GLYPH_ID;
--------------------------------------------------------------------------------
--------------
1884:    FT_ULong  length, count;
...
1892:    count  = TT_NEXT_ULONG( p );
...
1895:         length < 20 + count * 2                     )
--------------------------------------------------------------------------------
--------------
2069:    FT_ULong  num_groups;
...
2079:    num_groups = TT_NEXT_ULONG( p );
...
2082:         length < 16 + 12 * num_groups               )
--------------------------------------------------------------------------------
--------------
2087:      FT_ULong  n, start, end, start_id, last = 0;
...
2092:        start    = TT_NEXT_ULONG( p );
2093:        end      = TT_NEXT_ULONG( p );
2094:        start_id = TT_NEXT_ULONG( p );
...
2104:          if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
--------------------------------------------------------------------------------
--------------
2391:    FT_ULong  num_groups;
...
2401:    num_groups = TT_NEXT_ULONG( p );
...
2404:         length < 16 + 12 * num_groups               )
--------------------------------------------------------------------------------
--------------
2779:    FT_ULong  num_selectors;
...
2787:    num_selectors = TT_NEXT_ULONG( p );
...
2790:         length < 10 + 11 * num_selectors            )

2821:          FT_ULong  numRanges = TT_NEXT_ULONG( defp );
...
2826:          if ( defp + numRanges * 4 > valid->limit )

2849:          FT_ULong  numMappings = TT_NEXT_ULONG( ndp );
...
2853:          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
--------------------------------------------------------------------------------
--------------

All of the above stem from arithmetic operations (addition and multiplication) 
performed over fully controlled 32-bit variables, whose size is not previously 
sanitized in any way. This can be used to bypass the different checks in 
tt_cmap{8, 10, 12, 13, 14}_validate functions and consequently lead to 
out-of-bounds reads in those functions.

Since these issues occur in "_validate" routines responsible for ensuring that 
the input file is correctly formatted, it is possible that some other code 
which later touches the data assumes its validity (not necessarily true due to 
the issues explained here), which may lead to consequences more severe than 
out-of-bounds read, such as buffer overflows or other memory corruption. This, 
however, has not been confirmed.

Original issue reported on code.google.com by mjurc...@google.com on 12 Nov 2014 at 2:06

GoogleCodeExporter commented 9 years ago 
Reported in https://savannah.nongnu.org/bugs/?43588.

Original comment by mjurc...@google.com on 12 Nov 2014 at 2:08

GoogleCodeExporter commented 9 years ago 
Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=602040b1112c9
f94d68e200be59ea7ac3d104565.

Original comment by mjurc...@google.com on 13 Nov 2014 at 8:10

GoogleCodeExporter commented 9 years ago 
All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 25 Feb 2015 at 2:05