FreeType 2.5.3 BDF parsing potential heap pointer disclosure

[GoogleCodeExporter]

One of the font file formats supported by the FreeType open-source 
rasterization library is BDF (Glyph Bitmap Distribution Format). The BDF 
handling code resides in freetype/src/bdf. In the internal "_bdf_add_property" 
function defined in freetype/src/bdf/bdflib.c, the following code can be found:

1429:    if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
1430:      font->default_char = fp->value.l;
1431:    else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
1432:      font->font_ascent = fp->value.l;
1433:    else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
1434:      font->font_descent = fp->value.l;

While the function itself is responsible for adding new entries to an internal 
database of properties associated with the input font, it also checks for 
several specific properties and uses them to initialize some structure fields 
(default_char, font_ascent, font_descent). The code assumes that the type of 
those properties is either BDF_CARDINAL or BDF_INTEGER, which is correct, 
because they are hard-coded in the same source file:

 92:    { (char *)"DEFAULT_CHAR",            BDF_CARDINAL, 1, { 0 } },
...
101:    { (char *)"FONT_ASCENT",             BDF_INTEGER,  1, { 0 } },
102:    { (char *)"FONT_DESCENT",            BDF_INTEGER,  1, { 0 } },

On the other hand, all user-specified properties are of type BDF_ATOM, which 
uses the "atom" part of the "value" union instead of "l" or "ul":

107:  /* This structure represents a particular property of a font. */
108:  /* There are a set of defaults and each font has their own.   */
109:  typedef struct  bdf_property_t_
110:  {
111:    char*  name;         /* Name of the property.   */
112:    int    format;       /* Format of the property. */
113:    int    builtin;      /* A builtin property.     */
114:    union
115:    {
116:      char*          atom;
117:      long           l;
118:      unsigned long  ul;
119:
120:    } value;             /* Value of the property.  */
121:
122:  } bdf_property_t;

Due to the fact that the strncmp() function is used to recognize the special 
property names instead of strcmp(), longer names starting with the required 
strings can be used to pass the checks, too. For example, if a BDF font with 
the following line is supplied to FreeType:

DEFAULT_CHAR_SOME_IRRELEVANT_SUFFIX ARGUMENT

Then "font->default_char" will be set to a heap pointer pointing at the 
user-controlled "ARGUMENT" string. The three values (and especially ascent and 
descent) control how text is displayed on the screen, so in case of a scenario 
where it is possible to read pixels back (e.g. a web browser), this could be 
used to disclose an internal pointer and potentially defeat ASLR.

Attached is a font which triggers the described behavior. However, since the 
bug doesn't result in a hard crash, it can be best observed if a debug printf() 
is added after initialization of the default_char/font_ascent/font_descent 
fields in freetype/src/bdf/bdflib.c:1429-1434. Example output:

$ ./ftbench /path/to/poc.bdf
...
Leaked pointer: 0x265fa10
Leaked pointer: 0x26617b0
Leaked pointer: 0x2661890

Original issue reported on code.google.com by mjurc...@google.com on 4 Nov 2014 at 6:15

Attachments:

• poc.bdf

[GoogleCodeExporter]

Reported in https://savannah.nongnu.org/bugs/?43535.

Original comment by mjurc...@google.com on 5 Nov 2014 at 12:15

• Added labels: Reported-2014-Nov-5
• Removed labels: Reported-2014-Nov-4

[GoogleCodeExporter]

Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2c4832d30939b
45c05757f0a05128ce64c4cacc7.

Original comment by mjurc...@google.com on 7 Nov 2014 at 9:11

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 7 Nov 2014 at 9:12

• Changed state: Fixed

[GoogleCodeExporter]

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 25 Feb 2015 at 2:06

• Added labels: CVE-2014-9675

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 20 Apr 2015 at 2:03

• Added labels: Fixed-2014-Nov-7