Graphite2 heap-based overread in TtfUtil::CmapSubtable4NextCodepoint

RESOLVED FIXED

Status

()

Core
Graphics: Text
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Mateusz Jurczyk, Assigned: martin_hosken)

Tracking

({csectype-bounds, sec-moderate})

unspecified
csectype-bounds, sec-moderate
Points:
---

Firefox Tracking Flags

(firefox45 disabled, firefox46 fixed, firefox47 fixed, firefox48 fixed, firefox-esr3846+ disabled, firefox-esr4546+ disabled)

Details

(Whiteboard: Disclosure deadline June 6)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8727786 [details]
Reproducers.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:

$ ./gr2fonttest /path/to/file -auto

--- cut ---
==19167==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000dff1 at pc 0x000000553c7d bp 0x7ffc6c2c7100 sp 0x7ffc6c2c70f8
READ of size 1 at 0x60e00000dff1 thread T0
    #0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
    #1 0x553be8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43
    #2 0x56d7e3 in unsigned short be::peek<unsigned short>(void const*) graphite/src/./inc/Endian.h:55:18
    #3 0x5f2bad in graphite2::TtfUtil::CmapSubtable4NextCodepoint(void const*, unsigned int, int*) graphite/src/TtfUtil.cpp:1042:16
    #4 0x4fce35 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable4NextCodepoint, &graphite2::TtfUtil::CmapSubtable4Lookup>(unsigned short**, void const*, unsigned int) graphite/src/CmapCache.cpp:65:33
    #5 0x4fb097 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:107:14
    #6 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
    #7 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
    #8 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
    #9 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23
    #10 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3)
    #11 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)

0x60e00000dff1 is located 0 bytes to the right of 145-byte region [0x60e00000df60,0x60e00000dff1)
allocated by thread T0 here:
    #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x55d42b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
    #2 0x54f0d1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:281:36
    #3 0x4faad3 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23
    #4 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
    #5 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
    #6 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
    #7 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23
    #8 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3)
    #9 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)

SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
  0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19167==ABORTING
--- cut ---

Attached is an archive with three font files which reproduce the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Updated

2 years ago
Group: core-security → gfx-core-security
Keywords: sec-high
Keywords: csectype-bounds
Keywords: sec-high → sec-moderate
Whiteboard: Disclosure deadline June 6
(Assignee)

Comment 1

2 years ago
Please bear in mind that all buggy fonts that trigger bugs related to font tables other than graphite tables may well not pass OTS and so may not be exploitable within firefox.
(Assignee)

Comment 2

2 years ago
Fixed? in c36204c44d0c73d8afeff3fe3a1bdf3f5fd7d8bd
Verified with graphite revision f67e446f6637d5845a4df55e83a4f8a0eb7ad42b

Updated

2 years ago
Depends on: 1255158
Assignee: nobody → martin_hosken

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Graphite2 has been updated on all affected branches including ESRs.
status-firefox45: --- → wontfix
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox48: --- → fixed
status-firefox-esr38: --- → fixed
status-firefox-esr45: --- → fixed
tracking-firefox-esr38: --- → 46+
tracking-firefox-esr45: --- → 46+
status-firefox45: wontfix → disabled
status-firefox-esr38: fixed → disabled
status-firefox-esr45: fixed → disabled
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.