FreeType 2.5.3 SFNT cmap parsing out-of-bounds read in "tt_cmap4_validate"

[GoogleCodeExporter]

The following heap-based out-of-bounds memory read has been encountered in 
FreeType, in the handling of the "cmap" (format 4) SFNT table. It has been 
reproduced with the current version of freetype2 from master git branch, with a 
64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==5451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffe2 
at pc 0x865d2a bp 0x7ffffa4c8af0 sp 0x7ffffa4c8ae8
READ of size 1 at 0x61400000ffe2 thread T0
    #0 0x865d29 in tt_cmap4_validate freetype2/src/sfnt/ttcmap.c:862
    #1 0x8ea568 in tt_face_build_cmaps freetype2/src/sfnt/ttcmap.c:3550
    #2 0x8a6713 in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1297
    #3 0x55f099 in tt_face_init freetype2/src/truetype/ttobjs.c:563
    #4 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #5 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #6 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #7 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #8 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

0x61400000ffe2 is located 2 bytes to the right of 416-byte region 
[0x61400000fe40,0x61400000ffe0)
allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf265f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x525591 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:267
    #4 0x524d51 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200
    #5 0x8accb2 in tt_face_load_cmap freetype2/src/sfnt/ttload.c:928
    #6 0x8a09dc in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1048
    #7 0x55f099 in tt_face_init freetype2/src/truetype/ttobjs.c:563
    #8 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #9 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #10 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #11 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #12 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttcmap.c:862 
tt_cmap4_validate
Shadow bytes around the buggy address:
  0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5451==ABORTING

Original issue reported on code.google.com by mjurc...@google.com on 21 Nov 2014 at 10:27

Attachments:

• asan_heap-oob_850e0e_4567_cov_3431804032_combustt.ttf
• asan_heap-oob_850e0e_7066_cov_1811926313_ilits.ttf
• asan_heap-oob_850e0e_8428_cov_3005715731_mima4x4o.ttf

[GoogleCodeExporter]

Reported in https://savannah.nongnu.org/bugs/?43656.

Original comment by mjurc...@google.com on 21 Nov 2014 at 11:31

[GoogleCodeExporter]

Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9bd20b7304aae
61de5d50ac359cf27132bafd4c1.

Original comment by mjurc...@google.com on 23 Nov 2014 at 11:14

• Changed state: Fixed

[GoogleCodeExporter]

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

CVE-2014-9663

Original comment by mjurc...@google.com on 25 Feb 2015 at 2:03

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 25 Feb 2015 at 2:03

• Added labels: CVE-2014-9663