Closed gsharpsh00ter closed 6 years ago
Please do bear in mind that the -cache option is deprecated and that nobody is using it. All you may end up doing is have us dump that code quicker. More beneficial testing would be to fuzz against gr2fonttest without -cache.
On 8 Mar 2018 10:22 am, "Ziqiang Gu" notifications@github.com wrote:
0x01 Description
In libgraphite2 version 1.3.11 and the master branch, a segment fault vulnerability was found in graphite2::Slot::set(), which may allow attackers to cause a denial of service or possibly other impact via a crafted font type file.
0x02 How to reproduce
This issue can be reproduced by the following command: gr2fonttest $POC -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
0x03 Debugging Information
gzq@ubuntu:~/fuzz/tmp/graphite/build/gr2fonttest$ gdb -q gr2fonttest Reading symbols from gr2fonttest...done. (gdb) r libgraphite2-segfault-graphite2::Slot::set-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003 Starting program: /home/gzq/fuzz/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-segfault-graphite2::Slot::set-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003 Text codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Program received signal SIGSEGV, Segmentation fault. graphite2::Slot::set (this=0x5555557cad80, orig=..., charOffset=5, sizeAttr=3, justLevels=0, numChars=4) at /home/gzq/fuzz/tmp/graphite/src/Slot.cpp:52 52 m_glyphid = orig.m_glyphid; (gdb) print orig $1 = (const graphite2::Slot &)
(gdb) $2 = (const graphite2::Slot &) (gdb) print *this $3 = {m_next = 0x5555557cad00, m_prev = 0x5555557cae00, m_glyphid = 0, m_realglyphid = 0, m_original = 12, m_before = 12, m_after = 12, m_index = 0, m_parent = 0x0, m_child = 0x0, m_sibling = 0x0, m_position = {x = 0, y = 0}, m_shift = {x = 0, y = 0}, m_advance = { x = 576, y = 0}, m_attach = {x = 0, y = 0}, m_with = {x = 0, y = 0}, m_just = 0, m_flags = 0 '\000', m_attLevel = 0 '\000', m_bidiCls = 0 '\000', m_bidiLevel = 0 '\000', m_userAttr = 0x5555557cb658, m_justs = 0x0} (gdb) bt
0 graphite2::Slot::set (this=0x5555557cad80, orig=..., charOffset=5, sizeAttr=3, justLevels=0, numChars=4) at /home/gzq/fuzz/tmp/graphite/src/Slot.cpp:52
1 0x00007ffff7bc6062 in graphite2::Segment::splice (this=this@entry=0x5555557800e0, offset=offset@entry=5, length=
, length@entry=4, startSlot=startSlot@entry=0x5555557cae00, endSlot= , srcSlot= , numGlyphs= ) at /home/gzq/fuzz/tmp/graphite/src/Segment.cpp:320
2 0x00007ffff7babaaf in graphite2::CachedFace::runGraphite (this=0x55555576d4b0, seg=
, pSilf= ) at /home/gzq/fuzz/tmp/graphite/src/CachedFace.cpp:113 3 0x00007ffff7bab213 in graphite2::Segment::runGraphite (this=0x5555557800e0) at /home/gzq/fuzz/tmp/graphite/src/inc/Segment.h:97
4 (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555771570, enc=gr_utf8, pFeats=0x555555780080, script=0, face=0x55555576d4b0, font=0x555555771520) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:46
5 gr_make_seg (font=0x555555771520, face=0x55555576d4b0, script=
, pFeats=0x555555780080, enc=gr_utf8, pStart=0x555555771570, nChars=19, dir=1) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:105 6 0x0000555555557109 in Parameters::testFileFont (this=0x7fffffffe220) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:700
7 0x0000555555555f98 in main (argc=29, argv=0x7fffffffe398) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810
(gdb)
For security consideration, the poc file attached is encrypted with a password which I have sent to you.
0x04 Author
This issue is reported by Ziqiang Gu from WeiRan Labs.
0x05 POC
libgraphite2-segfault-graphite2Slotset-1.zip https://github.com/silnrsi/graphite/files/1791734/libgraphite2-segfault-graphite2__Slot__set-1.zip
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/silnrsi/graphite/issues/26, or mute the thread https://github.com/notifications/unsubscribe-auth/AFbHbZQSbBxqHSNsBklS9w-14p8E3N80ks5tcKP6gaJpZM4SiFC5 .
No document indicates this information. If the -cache option has been deprecated, the code should be removed from the core library. I'll stop the wok until the issues are fixed or mitigrated.
The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem.
0x01 Description
In libgraphite2 version 1.3.11 and the master branch, a segment fault vulnerability was found in graphite2::Slot::set(), which may allow attackers to cause a denial of service or possibly other impact via a crafted font type file.
0x02 How to reproduce
This issue can be reproduced by the following command:
gr2fonttest $POC -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
0x03 Debugging Information
For security consideration, the poc file attached is encrypted with a password which I have sent to you.
0x04 Author
This issue is reported by Ziqiang Gu from WeiRan Labs.
0x05 POC
libgraphite2-segfault-graphite2Slotset-1.zip