FreeType 2.5.3 TrueType parsing heap-based out-of-bounds read in "tt_face_load_hdmx"

[GoogleCodeExporter]

The following heap-based out-of-bounds memory read has been encountered in 
FreeType while fuzzing TrueType fonts. It has been reproduced with the current 
version of freetype2 from master git branch, with a 64-bit build of the ftbench 
utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==12266==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000ecf8 at pc 0x5c42ea bp 0x7fffa2fe67d0 sp 0x7fffa2fe67c8
READ of size 1 at 0x60200000ecf8 thread T0
    #0 0x5c42e9 in tt_face_load_hdmx freetype2/src/truetype/ttpload.c:540
    #1 0x55f2b4 in tt_face_init freetype2/src/truetype/ttobjs.c:570
    #2 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #3 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #4 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #5 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #6 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

0x60200000ecf8 is located 0 bytes to the right of 8-byte region 
[0x60200000ecf0,0x60200000ecf8)
allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf3a2f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x525591 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:267
    #4 0x524d51 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200
    #5 0x5c3448 in tt_face_load_hdmx freetype2/src/truetype/ttpload.c:500
    #6 0x55f2b4 in tt_face_init freetype2/src/truetype/ttobjs.c:570
    #7 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #8 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #9 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #10 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-buffer-overflow 
freetype2/src/truetype/ttpload.c:540 tt_face_load_hdmx
Shadow bytes around the buggy address:
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa]
  0x0c047fff9da0: fa fa 00 fa fa fa 00 06 fa fa 00 01 fa fa 00 00
  0x0c047fff9db0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9dc0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9de0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==12266==ABORTING

Original issue reported on code.google.com by mjurc...@google.com on 24 Nov 2014 at 8:19

Attachments:

• asan_heap-oob_5c42ea_1115_cov_3509873962_2821502151863019799.bin
• asan_heap-oob_5c42ea_1507_4f7c3c0b2b99648dcd8457b96614038b.ttf
• asan_heap-oob_5c42ea_1508_4f7c3c0b2b99648dcd8457b96614038b.ttf

[GoogleCodeExporter]

Reported in https://savannah.nongnu.org/bugs/?43679.

Original comment by mjurc...@google.com on 24 Nov 2014 at 8:21

[GoogleCodeExporter]

Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=eca0f06706802
0870a429fe91f6329e499390d55.

Original comment by mjurc...@google.com on 24 Nov 2014 at 9:33

• Changed state: Fixed

[GoogleCodeExporter]

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 25 Feb 2015 at 1:56

• Added labels: CVE-2014-9657