Closed gsharpsh00ter closed 6 years ago
I've added you to our private repo for security bugs, please could you re-post the zip files (both from here and #24 too) in an issue there unencrypted or the password. I'll leave this bug open so I can mark it closed once it's been fixed.
can you tell me how to visit your private repository? I found no way.
The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem.
0x01 Description
In libgraphite2 version 1.3.11 and the master branch, a memory corruption vulnerability was found in graphite2::SegCacheEntry::clear(), which may allow attackers to cause a denial of service or possibly excute arbitrary code via a crafted font type file.
0x02 How to reproduce
This issue can be reproduced by the following command:
gr2fonttest libgraphite2-SegCacheEntry-clear-memory-corruption.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
0x03 Backtrace Information
I didn't dig into the detail. I'm not sure if this issue is the same with the previous one(#24 ), the backtrace seems different.
For security consideration, the poc file attached is encrypted with a password, if you need it, please ask me for it.
0x04 Author
This issue is reported by Ziqiang Gu from Weiran Labs.
libgraphite2-SegCacheEntry-clear-memory-corruption.zip