Closed Bug 1273283 Opened 8 years ago Closed 8 years ago

freetype2: index out of bounds in [@ft_lzwstate_get_code]

Categories

(Core :: Graphics: Text, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-bounds, sec-other, testcase)

Attachments

(1 file)

301 bytes, application/x-font-ttf
Details
Attached file test_case.ttf
Found while fuzzing freetype2 commit 1eb735299a4606c01b7abbb2f561e7a904e08c1c (>2.6.3)

I'm not sure if this affects the browser or if we are protected by OTS. I'm also not sure how far this bug goes back.

/home/user/code/freetype2/src/lzw/ftzopen.c:90:18: runtime error: index 17 out of bounds for type 'FT_Byte [16]'
    #0 0x819e87 in ft_lzwstate_get_code /home/user/code/freetype2/src/lzw/ftzopen.c:90:18
    #1 0x81799d in ft_lzwstate_io /home/user/code/freetype2/src/lzw/ftzopen.c:314:13
    #2 0x8158ad in ft_lzw_file_fill_output /home/user/code/freetype2/src/lzw/ftlzw.c:179:13
    #3 0x8158ad in ft_lzw_file_io /home/user/code/freetype2/src/lzw/ftlzw.c:296
    #4 0x8158ad in ft_lzw_stream_io /home/user/code/freetype2/src/lzw/ftlzw.c:342
    #5 0x531bfd in FT_Stream_EnterFrame /home/user/code/freetype2/src/base/ftstream.c:273:20
    #6 0x5366c6 in FT_Stream_ReadFields /home/user/code/freetype2/src/base/ftstream.c:742:17
    #7 0x6c044b in pcf_read_TOC /home/user/code/freetype2/src/pcf/pcfread.c:102:10
    #8 0x6c044b in pcf_load_font /home/user/code/freetype2/src/pcf/pcfread.c:1196
    #9 0x6bb291 in PCF_Face_Init /home/user/code/freetype2/src/pcf/pcfdrivr.c:335:15
    #10 0x5025bf in open_face /home/user/code/freetype2/src/base/ftobjs.c:1177:15
    #11 0x4ff659 in FT_Open_Face /home/user/code/freetype2/src/base/ftobjs.c:2177:19
    #12 0x4fed0e in FT_New_Face /home/user/code/freetype2/src/base/ftobjs.c:1240:12
    #13 0x4e38b7 in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:139:10
    #14 0x4e38b7 in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166
    #15 0x7f13e337dec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #16 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)
Since switching to the new fontconfig backend (the default since bug 1180560, mozilla-44) I don't think we support PCF fonts at all; and they were never supported as webfonts anyway, the only possibility of using them would have been as locally-installed fonts on linux, I believe.

As such, this shouldn't affect the browser; but it should be reported upstream for the benefit of freetype clients in general.
The issue seems to be in common lzw code and the fuzzer seemed to find a path through PCF to get there. This is potentially accessible via other font types.

What do you think Jonathan?
AFAICS, the PCF driver is the only module in freetype that calls FT_Stream_OpenLZW, and hence eventually could reach ft_lzw_stream_io etc. There's no usage of LZW within TrueType/OpenType, the formats we would accept as webfonts.

So I think we're unaffected, unless I'm missing something.
Keywords: sec-other
Reproduces with freetype2 revision 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
Fixed in git, thanks.  Note that I'm not sure whether my approach to the problem is the correct solution; however, I think it should work in general.
Verified fixed in freetype2 revision 8521ad99b03c24040dbc0387966118ebc81f8933. Thanks!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.