FreeType 2.5.3 CFF CharString parsing heap-based buffer overflow in "cff_builder_add_point"

[GoogleCodeExporter]

The following heap-based out-of-bounds memory write has been encountered in 
FreeType while fuzzing OTF fonts. It has been reproduced with the current 
version of freetype2 from master git branch, with a 64-bit build of the ftbench 
utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==5718==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4736a69780 
at pc 0x741f52 bp 0x7fff23cea610 sp 0x7fff23cea608
WRITE of size 8 at 0x7f4736a69780 thread T0
    #0 0x741f51 in cff_builder_add_point freetype2/src/cff/cffgload.c:504
    #1 0x7409eb in cf2_builder_cubeTo freetype2/src/cff/cf2ft.c:197
    #2 0x72977a in cf2_glyphpath_pushPrevElem freetype2/src/cff/cf2hints.c:1336
    #3 0x70820a in cf2_glyphpath_curveTo freetype2/src/cff/cf2hints.c:1782
    #4 0x6f0f5c in cf2_interpT2CharString freetype2/src/cff/cf2intrp.c:720
    #5 0x6e8570 in cf2_getGlyphOutline freetype2/src/cff/cf2font.c:469
    #6 0x6e4c5e in cf2_decoder_parse_charstrings freetype2/src/cff/cf2ft.c:367
    #7 0x6da446 in cff_slot_load freetype2/src/cff/cffgload.c:2840
    #8 0x69dbcc in cff_glyph_load freetype2/src/cff/cffdrivr.c:185
    #9 0x4a427e in FT_Load_Glyph freetype2/src/base/ftobjs.c:726
    #10 0x491d69 in test_load ft2demos-2.5.3/src/ftbench.c:249
    #11 0x492b51 in benchmark ft2demos-2.5.3/src/ftbench.c:216
    #12 0x48e962 in main ft2demos-2.5.3/src/ftbench.c:1020

0x7f4736a69780 is located 0 bytes to the right of 524160-byte region 
[0x7f47369e9800,0x7f4736a69780)
allocated by thread T0 here:
    #0 0x47231b in realloc (ft2demos-2.5.3/bin/ftbench+0x47231b)
    #1 0xaf2961 in ft_realloc freetype2/src/base/ftsystem.c:107
    #2 0x5359a6 in ft_mem_qrealloc freetype2/src/base/ftutil.c:155
    #3 0x4b1331 in ft_mem_realloc freetype2/src/base/ftutil.c:102
    #4 0x4b2cfe in FT_GlyphLoader_CheckPoints freetype2/src/base/ftgloadr.c:225
    #5 0x7417e6 in cff_check_points freetype2/src/cff/cffgload.c:472
    #6 0x7408f1 in cf2_builder_cubeTo freetype2/src/cff/cf2ft.c:195
    #7 0x72977a in cf2_glyphpath_pushPrevElem freetype2/src/cff/cf2hints.c:1336
    #8 0x70820a in cf2_glyphpath_curveTo freetype2/src/cff/cf2hints.c:1782
    #9 0x6f0f5c in cf2_interpT2CharString freetype2/src/cff/cf2intrp.c:720
    #10 0x6e8570 in cf2_getGlyphOutline freetype2/src/cff/cf2font.c:469
    #11 0x6e4c5e in cf2_decoder_parse_charstrings freetype2/src/cff/cf2ft.c:367
    #12 0x6da446 in cff_slot_load freetype2/src/cff/cffgload.c:2840
    #13 0x69dbcc in cff_glyph_load freetype2/src/cff/cffdrivr.c:185
    #14 0x4a427e in FT_Load_Glyph freetype2/src/base/ftobjs.c:726
    #15 0x491d69 in test_load ft2demos-2.5.3/src/ftbench.c:249
    #16 0x492b51 in benchmark ft2demos-2.5.3/src/ftbench.c:216
    #17 0x48e962 in main ft2demos-2.5.3/src/ftbench.c:1020

SUMMARY: AddressSanitizer: heap-buffer-overflow 
freetype2/src/cff/cffgload.c:504 cff_builder_add_point
Shadow bytes around the buggy address:
  0x0fe966d452a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe966d452b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe966d452c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe966d452d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe966d452e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe966d452f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe966d45300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe966d45310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe966d45320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe966d45330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe966d45340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5718==ABORTING

Original issue reported on code.google.com by mjurc...@google.com on 21 Nov 2014 at 10:35

Attachments:

• asan_heap-oob_7337be_4558_cov_2281824659_combustt.otf
• asan_heap-oob_7337be_5477_cov_631718262_elsewher.otf
• asan_heap-oob_7337be_5479_cov_229227555_elsewher.otf

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 21 Nov 2014 at 10:36

• Changed title: FreeType 2.5.3 CFF CharString parsing heap-based buffer overflow in "cff_builder_add_point"

[GoogleCodeExporter]

Reported in https://savannah.nongnu.org/bugs/?43658.

Original comment by mjurc...@google.com on 21 Nov 2014 at 11:34

[GoogleCodeExporter]

Fixed in 
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5f201ab5c24cb
69bc96b724fd66e739928d6c5e2.

Original comment by mjurc...@google.com on 23 Nov 2014 at 11:14

• Changed state: Fixed

[GoogleCodeExporter]

All fixed by upstream:

FreeType 2.5.5

2014-12-30
FreeType 2.5.5 has been released. This is a minor bug fix release: All users of 
PCF fonts should update, since version 2.5.4 introduced a bug that prevented 
reading of such font files if not compressed.

FreeType 2.5.4

2014-12-06
FreeType 2.5.4 has been released. All users should upgrade due to another fix 
for vulnerability CVE-2014-2240 in the CFF driver. The library also contains a 
new round of patches for better protection against malformed fonts.

The main new feature, which is also one of the targets mentioned in the pledgie 
roadmap below, is auto-hinting support for Devanagari and Telugu, two widely 
used Indic scripts. A more detailed description of the remaining changes and 
fixes can be found here.

Original comment by cev...@google.com on 26 Jan 2015 at 5:27

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 25 Feb 2015 at 1:57

• Added labels: CVE-2014-9662