Vulners
Lucene search
Graphite2 - TtfUtil::CheckCmapSubtable12 Heap Overread
🗓️ 26 May 2016 00:00:00Reported by Google Security ResearchType 
exploitdb🔗 www.exploit-db.com👁 30 Views
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=752
The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file -auto
--- cut ---
=================================================================
==27862==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000be45 at pc 0x0000005f3354 bp 0x7ffe1a7ac5b0 sp 0x7ffe1a7ac5a8
READ of size 4 at 0x61200000be45 thread T0
#0 0x5f3353 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*) graphite/src/TtfUtil.cpp:1092:40
#1 0x4fa415 in smp_subtable(graphite2::Face::Table const&) graphite/src/CmapCache.cpp:55:9
#2 0x4fa859 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:95:29
#3 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#4 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#5 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#6 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#7 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#8 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
0x61200000be45 is located 1 bytes to the right of 260-byte region [0x61200000bd40,0x61200000be44)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36
#3 0x4fa793 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23
#4 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#5 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#6 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#7 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#8 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#9 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/TtfUtil.cpp:1092:40 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*)
Shadow bytes around the buggy address:
0x0c247fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff97c0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
0x0c247fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c247fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27862==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1252411. Attached are three font files which reproduce the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39861.zipData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 May 2016 00:00Current
7.4High risk
Vulners AI Score7.4