Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-5496: Heap-based buffer overflow in the Type2NotDefSplines() function · Issue #4085 · fontforge/fontforge

FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c.

CVE
Open in Source
#linux#git#buffer_overflow

Hi,

While fuzzing FontForge with AFL, I found a heap-based buffer overflow in the Type2NotDefSplines() function, in splinesave.c.

Attaching a reproducer (gzipped so GitHub accepts it): test02.sfd.gz

Issue can be reproduced in FontForge 20190801 and with latest Git master by running:

fontforge -lang ff -c 'Open("test02.sfd"); Generate("test02.otf")'


=================================================================
==8320==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000013e8 at pc 0x7fe41192f7bf bp 0x7ffcc7907050 sp 0x7ffcc7907040
WRITE of size 8 at 0x6020000013e8 thread T0
    #0 0x7fe41192f7be in Type2NotDefSplines /home/fcambus/fontforge-20190801/fontforge/splinesave.c:3099
    #1 0x7fe41193030c in SplineFont2ChrsSubrs2 /home/fcambus/fontforge-20190801/fontforge/splinesave.c:3235
    #2 0x7fe411ae5df3 in dumptype2glyphs /home/fcambus/fontforge-20190801/fontforge/tottf.c:2639
    #3 0x7fe411b0f07c in initTables /home/fcambus/fontforge-20190801/fontforge/tottf.c:5750
    #4 0x7fe411b13475 in _WriteTTFFont /home/fcambus/fontforge-20190801/fontforge/tottf.c:6143
    #5 0x7fe411b13611 in WriteTTFFont /home/fcambus/fontforge-20190801/fontforge/tottf.c:6171
    #6 0x7fe4116c60b4 in _DoSave /home/fcambus/fontforge-20190801/fontforge/savefont.c:845
    #7 0x7fe4116c8f7b in GenerateScript /home/fcambus/fontforge-20190801/fontforge/savefont.c:1269
    #8 0x7fe4116df9c4 in bGenerate /home/fcambus/fontforge-20190801/fontforge/scripting.c:2061
    #9 0x7fe41173d6bb in docall /home/fcambus/fontforge-20190801/fontforge/scripting.c:9632
    #10 0x7fe41173e55e in handlename /home/fcambus/fontforge-20190801/fontforge/scripting.c:9745
    #11 0x7fe4117428d0 in term /home/fcambus/fontforge-20190801/fontforge/scripting.c:9983
    #12 0x7fe4117441de in mul /home/fcambus/fontforge-20190801/fontforge/scripting.c:10128
    #13 0x7fe411744ade in add /home/fcambus/fontforge-20190801/fontforge/scripting.c:10174
    #14 0x7fe4117459e7 in comp /home/fcambus/fontforge-20190801/fontforge/scripting.c:10249
    #15 0x7fe41174644d in _and /home/fcambus/fontforge-20190801/fontforge/scripting.c:10293
    #16 0x7fe411746a79 in _or /home/fcambus/fontforge-20190801/fontforge/scripting.c:10325
    #17 0x7fe411747167 in assign /home/fcambus/fontforge-20190801/fontforge/scripting.c:10358
    #18 0x7fe41174884f in expr /home/fcambus/fontforge-20190801/fontforge/scripting.c:10436
    #19 0x7fe41174a4de in ff_statement /home/fcambus/fontforge-20190801/fontforge/scripting.c:10649
    #20 0x7fe41174bb92 in ProcessNativeScript /home/fcambus/fontforge-20190801/fontforge/scripting.c:10796
    #21 0x7fe41174c59f in _CheckIsScript /home/fcambus/fontforge-20190801/fontforge/scripting.c:10894
    #22 0x7fe41174c881 in CheckIsScript /home/fcambus/fontforge-20190801/fontforge/scripting.c:10927
    #23 0x7fe413289be7 in fontforge_main /home/fcambus/fontforge-20190801/fontforgeexe/startui.c:1099
    #24 0x55d5019f01ec in main /home/fcambus/fontforge-20190801/fontforgeexe/main.c:33
    #25 0x7fe4129171e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #26 0x55d5019f010d in _start (/home/fcambus/fontforge-20190801/fontforgeexe/.libs/fontforge+0x110d)

Address 0x6020000013e8 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fcambus/fontforge-20190801/fontforge/splinesave.c:3099 in Type2NotDefSplines
Shadow bytes around the buggy address:
  0x0c047fff8220: fa fa 05 fa fa fa 00 02 fa fa fd fa fa fa 00 00
  0x0c047fff8230: fa fa 00 01 fa fa 07 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff8240: fa fa 01 fa fa fa 00 03 fa fa 00 03 fa fa 00 03
  0x0c047fff8250: fa fa 00 04 fa fa 04 fa fa fa 01 fa fa fa fa fa
  0x0c047fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
  0x0c047fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==8320==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE