ericmckean / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

FreeType 2.5.3 SFNT parsing integer overflows #166

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
In the freetype/src/sfnt/ttload.c file responsible for handling SFNT tables, 
there are potential integer overflow conditions in the following code snippets:

209:      /* we ignore invalid tables */
210:      if ( table.Offset + table.Length > stream->size )
211:      {
212:        FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
213:        continue;
214:      }
215:      else
216:        valid_entries++;

and

397:     /* ignore invalid tables */
398:      if ( entry->Offset + entry->Length > stream->size )
399:        continue;
400:      else
401:      {
402:        FT_TRACE2(( "  %c%c%c%c  %08lx  %08lx  %08lx\n",
403:                    (FT_Char)( entry->Tag >> 24 ),
404:                    (FT_Char)( entry->Tag >> 16 ),
405:                    (FT_Char)( entry->Tag >> 8  ),
406:                    (FT_Char)( entry->Tag       ),
407:                    entry->Offset,
408:                    entry->Length,
409:                    entry->CheckSum ));
410:        entry++;
411:      }

Since both "Offset" and "Length" fields are fully controlled 32-bit unsigned 
integers, their sum can overflow the integer ranges on 32-bit builds of 
FreeType, effectively bypassing the sanity above checks.

The full consequence of not correctly filtering out such malformed tables is 
not fully understood; we assume, however, that the worst that could happen as a 
result of this issue is an out-of-bounds read from the table of an allegedly 
enormous size (while in reality much smaller). We believe installing proper 
bounds checking should be a good defense-in-depth measure to prevent further 
bugs related to such bogus table headers.

Original issue reported on code.google.com by mjurc...@google.com on 12 Nov 2014 at 5:41

GoogleCodeExporter commented 9 years ago
Reported in https://savannah.nongnu.org/bugs/?43590.

Original comment by mjurc...@google.com on 12 Nov 2014 at 5:43

GoogleCodeExporter commented 9 years ago
Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=677ddf4f1dc1b
36cef7c7ddd59a14c508f4b1891.

Original comment by mjurc...@google.com on 13 Nov 2014 at 8:15

GoogleCodeExporter commented 9 years ago
All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 25 Feb 2015 at 2:04