FreeType 2.5.3 Type42 parsing use-after-free in "FT_Stream_TryRead" (embedded BDF loading)

[GoogleCodeExporter]

The following use-after-free condition has been encountered in FreeType while 
fuzzing Type42 fonts. It has been reproduced with the current version of 
freetype2 from master git branch, with a 64-bit build of the ftbench utility 
compiled with AddressSanitizer:

$ ftbench <file>

Attached is a POC file which triggers the condition.

=================================================================
==6948==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f00000f07f 
at pc 0x524983 bp 0x7fffecb369f0 sp 0x7fffecb369e8
READ of size 2048 at 0x61f00000f07f thread T0
    #0 0x524982 in FT_Stream_TryRead freetype2/src/base/ftstream.c:182
    #1 0x82b879 in _bdf_readstream freetype2/src/bdf/bdflib.c:716
    #2 0x820895 in bdf_load_font freetype2/src/bdf/bdflib.c:2404
    #3 0x813c7a in BDF_Face_Init freetype2/src/bdf/bdfdrivr.c:364
    #4 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #5 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #6 0x7bc3ab in T42_Face_Init freetype2/src/type42/t42objs.c:300
    #7 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #8 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #9 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #10 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

0x61f00000f07f is located 511 bytes inside of 3072-byte region 
[0x61f00000ee80,0x61f00000fa80)
freed by thread T0 here:
    #0 0x471e61 in free (ft2demos-2.5.3/bin/ftbench+0x471e61)
    #1 0xaf2b78 in ft_free freetype2/src/base/ftsystem.c:130
    #2 0x4b04a0 in ft_mem_free freetype2/src/base/ftutil.c:172
    #3 0xa9c898 in ps_table_release freetype2/src/psaux/psobjs.c:271
    #4 0x7cb3a3 in t42_loader_done freetype2/src/type42/t42parse.c:1203
    #5 0x7c6aa5 in T42_Open_Face freetype2/src/type42/t42objs.c:149
    #6 0x7ba9ab in T42_Face_Init freetype2/src/type42/t42objs.c:196
    #7 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #8 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #9 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #10 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

previously allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf265f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x4aee0f in ft_mem_alloc freetype2/src/base/ftutil.c:55
    #4 0xae4c19 in reallocate_t1_table freetype2/src/psaux/psobjs.c:125
    #5 0xa9bc38 in ps_table_add freetype2/src/psaux/psobjs.c:205
    #6 0x7d0e34 in t42_parse_encoding freetype2/src/type42/t42parse.c:450
    #7 0x7cc130 in t42_load_keyword freetype2/src/type42/t42parse.c:1007
    #8 0x7ca971 in t42_parse_dict freetype2/src/type42/t42parse.c:1154
    #9 0x7c4df8 in T42_Open_Face freetype2/src/type42/t42objs.c:57
    #10 0x7ba9ab in T42_Face_Init freetype2/src/type42/t42objs.c:196
    #11 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #12 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #13 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #14 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #15 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-use-after-free 
freetype2/src/base/ftstream.c:182 FT_Stream_TryRead
Shadow bytes around the buggy address:
  0x0c3e7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff9dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9de0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9df0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3e7fff9e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c3e7fff9e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3e7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==6948==ABORTING

Original issue reported on code.google.com by mjurc...@google.com on 21 Nov 2014 at 10:53

Attachments:

• asan_heap-uaf_5212ba_6256_cov_2018364181_genotyrs.t42

[GoogleCodeExporter]

Reported in https://savannah.nongnu.org/bugs/?43659.

Original comment by mjurc...@google.com on 21 Nov 2014 at 11:36

[GoogleCodeExporter]

Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3788187e0c396
952cd7d905c6c61f3ff8e84b2b4 and 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=42fcd6693ec7b
d6ffc65ddc63e74287a65dda669.

Original comment by mjurc...@google.com on 22 Nov 2014 at 12:11

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 22 Nov 2014 at 12:11

• Changed state: Fixed

[GoogleCodeExporter]

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 25 Feb 2015 at 1:57

• Added labels: CVE-2014-9661