ericmckean / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts" #211

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following invalid free() condition has been encountered in FreeType while 
fuzzing Type42 fonts. It has been reproduced with the current version of 
freetype2 from master git branch, with a 64-bit build of the ftbench utility 
compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==1462==ERROR: AddressSanitizer: attempting free on address which was not 
malloc()-ed: 0x61b00001f70c in thread T0
    #0 0x472581 in __interceptor_free (ft2demos-2.5.3/bin/ftbench+0x472581)
    #1 0xafc208 in ft_free freetype2/src/base/ftsystem.c:130
    #2 0x4b0f50 in ft_mem_free freetype2/src/base/ftutil.c:172
    #3 0x536f3f in ft_mem_qrealloc freetype2/src/base/ftutil.c:135
    #4 0x4b1de1 in ft_mem_realloc freetype2/src/base/ftutil.c:102
    #5 0x7dc516 in t42_parse_sfnts freetype2/src/type42/t42parse.c:583
    #6 0x7cfe70 in t42_load_keyword freetype2/src/type42/t42parse.c:1012
    #7 0x7ce6b1 in t42_parse_dict freetype2/src/type42/t42parse.c:1159
    #8 0x7c8b42 in T42_Open_Face freetype2/src/type42/t42objs.c:63
    #9 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #10 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #11 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #12 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #13 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #14 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

0x61b00001f70c is located 1420 bytes inside of 1456-byte region 
[0x61b00001f180,0x61b00001f730)
allocated by thread T0 here:
    #0 0x4727a1 in malloc (ft2demos-2.5.3/bin/ftbench+0x4727a1)
    #1 0xafbcef in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x528311 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x4af8bf in ft_mem_alloc freetype2/src/base/ftutil.c:55
    #4 0x7cbc91 in t42_parser_init freetype2/src/type42/t42parse.c:206
    #5 0x7c897a in T42_Open_Face freetype2/src/type42/t42objs.c:56
    #6 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #7 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #8 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #9 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #10 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==1462==ABORTING

Original issue reported on code.google.com by mjurc...@google.com on 8 Dec 2014 at 9:20

Attachments:

GoogleCodeExporter commented 9 years ago
Reported in https://savannah.nongnu.org/bugs/?43776.

Original comment by mjurc...@google.com on 8 Dec 2014 at 9:26

GoogleCodeExporter commented 9 years ago
Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b94381134efd4
1c6885d38e08d14106feec7284b, 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c9ca6ffc9442b
4b127f948e2d993454aa7791e59 and 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=812ed3418969a
013fce68c3884f7f8fc23c6b4bf.

Original comment by mjurc...@google.com on 15 Dec 2014 at 5:35

GoogleCodeExporter commented 9 years ago
All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27