FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts"

[GoogleCodeExporter]

The following invalid free() condition has been encountered in FreeType while 
fuzzing Type42 fonts. It has been reproduced with the current version of 
freetype2 from master git branch, with a 64-bit build of the ftbench utility 
compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==1462==ERROR: AddressSanitizer: attempting free on address which was not 
malloc()-ed: 0x61b00001f70c in thread T0
    #0 0x472581 in __interceptor_free (ft2demos-2.5.3/bin/ftbench+0x472581)
    #1 0xafc208 in ft_free freetype2/src/base/ftsystem.c:130
    #2 0x4b0f50 in ft_mem_free freetype2/src/base/ftutil.c:172
    #3 0x536f3f in ft_mem_qrealloc freetype2/src/base/ftutil.c:135
    #4 0x4b1de1 in ft_mem_realloc freetype2/src/base/ftutil.c:102
    #5 0x7dc516 in t42_parse_sfnts freetype2/src/type42/t42parse.c:583
    #6 0x7cfe70 in t42_load_keyword freetype2/src/type42/t42parse.c:1012
    #7 0x7ce6b1 in t42_parse_dict freetype2/src/type42/t42parse.c:1159
    #8 0x7c8b42 in T42_Open_Face freetype2/src/type42/t42objs.c:63
    #9 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #10 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #11 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #12 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #13 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #14 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

0x61b00001f70c is located 1420 bytes inside of 1456-byte region 
[0x61b00001f180,0x61b00001f730)
allocated by thread T0 here:
    #0 0x4727a1 in malloc (ft2demos-2.5.3/bin/ftbench+0x4727a1)
    #1 0xafbcef in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x528311 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x4af8bf in ft_mem_alloc freetype2/src/base/ftutil.c:55
    #4 0x7cbc91 in t42_parser_init freetype2/src/type42/t42parse.c:206
    #5 0x7c897a in T42_Open_Face freetype2/src/type42/t42objs.c:56
    #6 0x7be5ab in T42_Face_Init freetype2/src/type42/t42objs.c:202
    #7 0x4ccc8e in open_face freetype2/src/base/ftobjs.c:1170
    #8 0x4c849b in FT_Open_Face freetype2/src/base/ftobjs.c:2151
    #9 0x4c66a8 in FT_New_Face freetype2/src/base/ftobjs.c:1233
    #10 0x491c53 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #11 0x48de68 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free
==1462==ABORTING

Original issue reported on code.google.com by mjurc...@google.com on 8 Dec 2014 at 9:20

Attachments:

• id%3A000000,sig%3A06,src%3A011260,op%3Ahavoc,rep%3A16
• id%3A000000,sig%3A06,src%3A014021,op%3Ahavoc,rep%3A8
• id%3A000001,sig%3A06,src%3A014021,op%3Ahavoc,rep%3A64

[GoogleCodeExporter]

Reported in https://savannah.nongnu.org/bugs/?43776.

Original comment by mjurc...@google.com on 8 Dec 2014 at 9:26

• Changed title: FreeType 2.5.4 Type42 parsing invalid free in "t42_parse_sfnts"

[GoogleCodeExporter]

Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b94381134efd4
1c6885d38e08d14106feec7284b, 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c9ca6ffc9442b
4b127f948e2d993454aa7791e59 and 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=812ed3418969a
013fce68c3884f7f8fc23c6b4bf.

Original comment by mjurc...@google.com on 15 Dec 2014 at 5:35

• Changed state: Fixed
• Added labels: Fixed-2014-Dec-11

[GoogleCodeExporter]

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

• Removed labels: Restrict-View-Commit