Closed
Bug 1273283
Opened 8 years ago
Closed 8 years ago
freetype2: index out of bounds in [@ft_lzwstate_get_code]
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, sec-other, testcase)
Attachments
(1 file)
301 bytes,
application/x-font-ttf
|
Details |
Found while fuzzing freetype2 commit 1eb735299a4606c01b7abbb2f561e7a904e08c1c (>2.6.3) I'm not sure if this affects the browser or if we are protected by OTS. I'm also not sure how far this bug goes back. /home/user/code/freetype2/src/lzw/ftzopen.c:90:18: runtime error: index 17 out of bounds for type 'FT_Byte [16]' #0 0x819e87 in ft_lzwstate_get_code /home/user/code/freetype2/src/lzw/ftzopen.c:90:18 #1 0x81799d in ft_lzwstate_io /home/user/code/freetype2/src/lzw/ftzopen.c:314:13 #2 0x8158ad in ft_lzw_file_fill_output /home/user/code/freetype2/src/lzw/ftlzw.c:179:13 #3 0x8158ad in ft_lzw_file_io /home/user/code/freetype2/src/lzw/ftlzw.c:296 #4 0x8158ad in ft_lzw_stream_io /home/user/code/freetype2/src/lzw/ftlzw.c:342 #5 0x531bfd in FT_Stream_EnterFrame /home/user/code/freetype2/src/base/ftstream.c:273:20 #6 0x5366c6 in FT_Stream_ReadFields /home/user/code/freetype2/src/base/ftstream.c:742:17 #7 0x6c044b in pcf_read_TOC /home/user/code/freetype2/src/pcf/pcfread.c:102:10 #8 0x6c044b in pcf_load_font /home/user/code/freetype2/src/pcf/pcfread.c:1196 #9 0x6bb291 in PCF_Face_Init /home/user/code/freetype2/src/pcf/pcfdrivr.c:335:15 #10 0x5025bf in open_face /home/user/code/freetype2/src/base/ftobjs.c:1177:15 #11 0x4ff659 in FT_Open_Face /home/user/code/freetype2/src/base/ftobjs.c:2177:19 #12 0x4fed0e in FT_New_Face /home/user/code/freetype2/src/base/ftobjs.c:1240:12 #13 0x4e38b7 in ExecuteTest /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:139:10 #14 0x4e38b7 in main /home/user/code/freetype2/src/tools/ftrandom/../../../src/tools/ftrandom/ftrandom.c:166 #15 0x7f13e337dec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #16 0x41dfa5 in _start (/home/ubuntu/build/build/ftrandom+0x41dfa5)
Comment 1•8 years ago
|
||
Since switching to the new fontconfig backend (the default since bug 1180560, mozilla-44) I don't think we support PCF fonts at all; and they were never supported as webfonts anyway, the only possibility of using them would have been as locally-installed fonts on linux, I believe. As such, this shouldn't affect the browser; but it should be reported upstream for the benefit of freetype clients in general.
Reporter | ||
Comment 2•8 years ago
|
||
The issue seems to be in common lzw code and the fuzzer seemed to find a path through PCF to get there. This is potentially accessible via other font types. What do you think Jonathan?
Comment 3•8 years ago
|
||
AFAICS, the PCF driver is the only module in freetype that calls FT_Stream_OpenLZW, and hence eventually could reach ft_lzw_stream_io etc. There's no usage of LZW within TrueType/OpenType, the formats we would accept as webfonts. So I think we're unaffected, unless I'm missing something.
Reporter | ||
Comment 4•8 years ago
|
||
Reproduces with freetype2 revision 248f5629d8889aa5b77ea5bfce0935140293d50d (>2.6.5)
Comment 5•8 years ago
|
||
Fixed in git, thanks. Note that I'm not sure whether my approach to the problem is the correct solution; however, I think it should work in general.
Reporter | ||
Comment 6•8 years ago
|
||
Verified fixed in freetype2 revision 8521ad99b03c24040dbc0387966118ebc81f8933. Thanks!
Reporter | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•