FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Out-of-Bounds Read

EDB-ID:

38662

CVE:





Platform:

Multiple

Date:

2015-11-09


Source: https://code.google.com/p/google-security-research/issues/detail?id=614

The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer: 

$ ftbench <file> 

Attached are three POC files which trigger the conditions. 

--- 
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b 

ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------

family: (null)
 style: (null)

number of seconds for each test: 2.000000

starting glyph index: 0
face size: 10ppem
font preloading into memory: no

load flags: 0x0
render mode: 0

CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte

executing tests:
  Load                      =================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
    #0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
    #1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
    #2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
    #4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
    #5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
    #7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
    #8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
    #9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
    #10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
    #11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
    #12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
    #13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
    #0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
    #2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
    #3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
    #4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
    #5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
    #6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
    #8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
    #9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
    #11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
    #12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
    #13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
    #14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
    #15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
    #16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
    #17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
  0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
  0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22366==ABORTING
---

The issue was reported in https://savannah.nongnu.org/bugs/?46379.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38662.zip