Adobe Reader CoolType heap-based buffer underflow due to integer overflow in STOREWV

[GoogleCodeExporter]

In the Adobe Reader CoolType implementation of the `STOREWV` instruction 
(othersubr 19) used by Multiple Master Fonts [1], values are copied from a 
so-called "WeightVector" (an internal, MM-specific array) into the transient 
array (also known as "BuildCharArray"). The starting index is obtained from the 
operand stack, as shown below in Hex-Rays decompiled pseudo-code:

---
--op_sp;
idx = *(op_sp + 1);

[...]

master_designs = font->master_designs;
if ( master_designs + idx > font->lenBuildCharArray )
  return -8;

---

or, in assembly:

---
.text:080426B7                 movsx   ebx, word ptr [esi+2]
[...]
.text:0804270F                 mov     eax, [edi+2B8h]
.text:08042715                 lea     ecx, [ebx+eax]
.text:08042718                 cmp     ecx, [edi+360h]
.text:0804271E                 ja      loc_8041FA1     ; jumptable 08041720 
cases 0,2

---

The "master_designs" variable is the size of the "WeightVector" array and can 
be anything from 2 to 16, while "idx" is a fully controlled 16-bit signed 
integer. If "idx" is a negative number, the check can be effectively bypassed, 
thus leading to a buffer underflow of the "BuildCharArray" heap-based 
allocation, by a maximum of 64 bytes (16 dwords):

---
if ( master_designs )
{
  buildchar_offset = idx;
  weight_vector = font->weight_vector;
  do
  {
    ++it;
    value = *weight_vector;
    weight_vector += 4;
    font->BuildCharArray[buildchar_offset] = value;
    ++buildchar_offset;
  }
  while ( it < font->master_designs );
  op_sp = tmp_op_sp;
  it = 0;
}

---

The vulnerability can be reproduced with Multiple Master Type1 fonts, but also 
with regular Type1 fonts, provided that a PostScript "/WeightVector" array is 
present in the font header (preferably of length 16), and the following 
instruction sequence is used for one of the rendered glyphs:

---
-16 1 19 callother

---

This will overwrite 64 bytes in front of the transient array, corrupting the 
heap headers and leading to Adobe Reader crash (full log can be found in 
"crash.txt"):

---
(270c.22b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7281a912 ebx=7281a480 ecx=00010000 edx=017c0000 esi=7281a912 edi=00000000
eip=72804a59 esp=0038ee74 ebp=0038ee88 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
BIB!BIBInitialize4+0x354b:
72804a59 895114          mov     dword ptr [ecx+14h],edx 
ds:002b:00010014=????????

---

Adobe Reader 11.0.10 is confirmed to be affected, but we expect all prior 
versions of the software to be prone to the bug, too. A Type1 Proof of Concept 
font is attached ("poc.pfm" + "poc.pfb"), together with its source code to be 
compiled with the type1 tool ("poc.pfa"), and an actual PDF file with the 
offending font file embedded.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

References:
[1] http://en.wikipedia.org/wiki/Multiple_master_fonts

Original issue reported on code.google.com by mjurc...@google.com on 4 Feb 2015 at 4:53

Attachments:

• poc.pfa
• poc.pfb
• poc.pfm
• poc.pdf
• crash.txt

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 6 Feb 2015 at 4:46

• Added labels: Reported-2015-Feb-6

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 11 Feb 2015 at 11:53

• Added labels: Id-3281

[GoogleCodeExporter]

Patch due May 12th -- 5 days into 14 day grace period.

Original comment by cev...@google.com on 5 May 2015 at 11:23

• Added labels: Deadline-Exceeded, Deadline-Grace

[GoogleCodeExporter]

Tagging a CVE and fixing mismatched PSIRT-ID.

Original comment by mjurc...@google.com on 7 May 2015 at 9:36

• Added labels: CVE-2015-3051, Id-3280
• Removed labels: Id-3281

[GoogleCodeExporter]

https://helpx.adobe.com/security/products/reader/apsb15-10.html

Original comment by cev...@google.com on 12 May 2015 at 6:23

• Changed state: Fixed
• Added labels: Fixed-2015-May-12

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 12 Jun 2015 at 4:04

• Removed labels: Restrict-View-Commit