Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-31782: Heap overflow in get_charset in ftbench.c (#8) · Issues · FreeType / FreeType Demo Programs · GitLab

ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-based buffer overflow.

CVE
#linux#git#buffer_overflow

Heap overflow in get_charset in ftbench.c

face->num_glyphs can be zero, as a result, first_index and last_index would be -1. Those variables will be used in get_charset function.

   1244
   1245     if ( first_index >= face->num_glyphs )
   1246       first_index = face->num_glyphs - 1;
 ► 1247     if ( last_index >= face->num_glyphs )
   1248       last_index = face->num_glyphs - 1;
   1249     incr_index = last_index > first_index ? 1 : -1;
   1250

In get_charset, variable i would be assigned -1 and this code would access charset->code[-1] resulting out-of-bound access.

#define FOREACH( i )  for ( i = first_index ;                          \
                            ( first_index <= i && i <= last_index ) || \
                            ( first_index >= i && i >= last_index ) ;  \
                            i += incr_index )

void get_charset(){
    ...
    {
      int  j;


      /* no charmap, do an identity mapping */
      FOREACH( j )
        charset->code[i++] = (FT_ULong)j;
    }
    ...

stack trace:

=================================================================
==2736368==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000130 at pc 0x00000050005f bp 0x7fff84c241b0 sp 0x7fff84c241a8
WRITE of size 8 at 0x602000000130 thread T0
    #0 0x50005e in get_charset /targets/struct/freetype/dbg/freetype-demos/src/ftbench.c:820:28
    #1 0x4fcc28 in main /targets/struct/freetype/dbg/freetype-demos/src/ftbench.c:1420:11
    #2 0x7fb18708b0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #3 0x41f6bd in _start (/targets/struct/freetype/dbg/fuzzrun/ftbench+0x41f6bd)

0x602000000131 is located 0 bytes to the right of 1-byte region [0x602000000130,0x602000000131)
allocated by thread T0 here:
    #0 0x4c4987 in calloc /fuzz/fuzzdeps/llvm-project-11.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x4ffc36 in get_charset /targets/struct/freetype/dbg/freetype-demos/src/ftbench.c:787:32
    #2 0x4fcc28 in main /targets/struct/freetype/dbg/freetype-demos/src/ftbench.c:1420:11
    #3 0x7fb18708b0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /targets/struct/freetype/dbg/freetype-demos/src/ftbench.c:820:28 in get_charset
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff8020: fa fa fd fa fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2736368==ABORTING
[1]    2736368 abort      ./ftbench -c 1

reproduce steps: ftbench -c 1 ./poc

poc.zip

Related news

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Ubuntu Security Notice USN-5528-1

Ubuntu Security Notice 5528-1 - It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash, or possibly execute arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907