Closed fcambus closed 4 years ago
How could this have been missed?
https://github.com/fontforge/libspiro/blob/6c04efe38570a09d2a0ffd3e5d8ea9117a7f3033/tests/call-test.c#L539 https://github.com/fontforge/libspiro/blob/6c04efe38570a09d2a0ffd3e5d8ea9117a7f3033/spiro.c#L1182
C arrays are 0-indexed! This could never have worked, could it??
Yes, you are correct, dm[5] = 1. would be a problem. (line 539 should be dm[6] instead of dm[5] like in spiroentrypoint.c line 48)
Also noticed line 548
d[0] = 1.; d[1] = d[1] = 0.;
needs to be fixed as:
d[0] = 1.; d[1] = d[2] = 0.;
@fcambus, can you do those two mods and try it again? If it works, are you interested/able to formulate a patch - we can also merge it in.
This issue has been assigned CVE-2019-19847.
@JoesCat Sure, will try your modifications when I come back home and report back.
For clarification - the buffer overflow happens in the test programs, not the library itself.
call-testN do progressive tests of the library, so it does some calls that aren't defined entrypoints in the developer H files - anyone that uses the libspiro H files shouldn't need to be playing around with these dm[6] variables.
Thanks! - good catch - will look forwards to seeing a patch.
Well, the buffer overflow happens in spiro_to_bpath0() which is a library function and an exported symbol:
nm /usr/lib/libspiro.so.1.0.0 | grep spiro_to_bpath0
00000000000052f0 T spiro_to_bpath0
And you also define its prototype in spiro.h which is installed in PREFIX/include.
But I understand it is called directly in the test suite for testing purposes but is not supposed to be called directly by library users.
Your modifications indeed fix the crashes in the test suite, so you should commit that as a first step. As a second step, you should probably stop exporting this function.
We should first make sure it's not being used, as it's likely been exported for years. I checked—it's not in use by FontForge. @JoesCat would know best as to other projects to check.
Debian Code Search shows it is apparently only used in libspiro itself: https://codesearch.debian.net/search?q=spiro_to_bpath0&literal=1
Likewise, internet search for spiro_to_bpath0 also showed nothing except for the CVE-2019-19847.
Most users that come to mind, use the "advertised" API entries, examples: FontForge, FontAnvil, GEGL ...but I'd rather avoid to stop exporting the function since there is a possibility someone could make use of it, one example that comes to mind is Inkscape's forked version (however, this was based on 20071029 code). It demonstrates that there can be an advantage for someone knowing what they're doing at this lower level.
I've verified ./configure CFLAGS="-fsanitize=address"
and the patch solution and have also started looking at fortifying this entry point even though it's not an "advertised" entry.
If you wish to enter a patch, please go ahead, otherwise I'll just go ahead and patch this bug this weekend.
Good catch.
Thanks for the update, you can go ahead and commit your patch.
I worked on this a bit, and you have to copy the dm[] resulting values calculated in run_spiro0() and give them to the spiro_to_bpath0() - it can be internalized, but it would make the access points run_spiro0() and spiro_to_bpath0() of no value as you would not be able to scale or shift results.
bugs patched.
Released Libspiro, version 20200505 (1.1.0) Closing issue as resolved.
Hi,
When building libspiro 20190731 with AddressSanitizer enabled and running the test suite, I found a stack-based buffer overflow in spiro_to_bpath0() in spiro.c.
In the test suite,
call-test14
tocall-test19
all trigger the same issue.The issue can be triggered as follow: