search

secretsquirrel / google-security-research

Automatically exported from code.google.com/p/google-security-research
3 stars 0 forks source link

FreeType 2.5.3 PCF parsing NULL pointer dereference due to 32-bit integer overflow #158

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
In freetype/src/pcf/pcfread.c, the following code is found:

    int           firstCol, lastCol;
    int           firstRow, lastRow;
    int           nencoding, encodingOffset;
    int           i, j, k;
...
      firstCol          = FT_GET_SHORT();
      lastCol           = FT_GET_SHORT();
      firstRow          = FT_GET_SHORT();
      lastRow           = FT_GET_SHORT();
      face->defaultChar = FT_GET_SHORT();
...
    nencoding = ( lastCol - firstCol + 1 ) * ( lastRow - firstRow + 1 );

    if ( FT_NEW_ARRAY( encoding, nencoding ) )
      return FT_THROW( Out_Of_Memory );
...
    for ( i = firstRow; i <= lastRow; i++ )
    {
      for ( j = firstCol; j <= lastCol; j++ )
      {
        // Load data into the "encoding" array.

Since the "firstCol", "lastCol", "firstRow", "lastRow" variables are all 
controlled from the input file, if we set them respectively to:

firstCol = -32768
lastCol = 32767
firstRow = -32768
lastRow = 32767

Then the 32-bit variable will overflow as a result of a "65536 * 65536" 
multiplication, and will become 0. This will lead to the allocator initializing 
the "encoding" pointer with NULL; the pointer will later be used to write data 
to, resulting in a NULL pointer dereference and an application crash:

ASAN:SIGSEGV
=================================================================
==1143== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 
0xf6091fe9 sp 0xff819ab0 bp 0xff819bf8 T0)
AddressSanitizer can not provide additional info.
    #0 0xf6091fe8 in pcf_get_encodings freetype2/src/pcf/pcfread.c:841
    #1 0xf6093a49 in pcf_load_font freetype2/src/pcf/pcfread.c:1134
    #2 0xf6095826 in PCF_Face_Init freetype2/src/pcf/pcfdrivr.c:274
    #3 0xf5f9f1d7 in open_face freetype2/src/base/ftobjs.c:1191
    #4 0xf5fa27ea in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #5 0xf5f9f4ff in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #6 0x804b5a8 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #7 0x804bc64 in main ft2demos-2.5.3/src/ftbench.c:924
SUMMARY: AddressSanitizer: SEGV freetype2/src/pcf/pcfread.c:841 
pcf_get_encodings
==1143== ABORTING

The attached "poc.pcf" sample can be used to reproduce the behavior.

Original issue reported on code.google.com by mjurc...@google.com on 6 Nov 2014 at 1:12

Attachments:

GoogleCodeExporter commented 9 years ago 
Reported in https://savannah.nongnu.org/bugs/?43548.

Original comment by mjurc...@google.com on 6 Nov 2014 at 1:14

GoogleCodeExporter commented 9 years ago 
Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ef1eba75187ad
fac750f326b563fe543dd5ff4e6.

Original comment by mjurc...@google.com on 7 Nov 2014 at 9:14