[Bug 1191080] CVE-2014-9658 freetype: buffer over-read and integer underflow in tt_face_load_kern()

Thu Feb 19 20:58:29 UTC 2015

https://bugzilla.redhat.com/show_bug.cgi?id=1191080

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|medium                      |low
   Fixed In Version|                            |freetype 2.5.4
            Summary|CVE-2014-9658 freetype: DoS |CVE-2014-9658 freetype:
                   |in the tt_face_load_kern    |buffer over-read and
                   |function in sfnt/ttkern.c   |integer underflow in
                   |                            |tt_face_load_kern()
         Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124,
                   |1124,reported=20150210,sour |reported=20150210,source=cv
                   |ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=4.3/AV:N/AC:M/Au:N/
                   |Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-20->CWE
                   |/freetype=affected,rhel-5/f |-190->CWE-125,rhel-4/freety
                   |reetype=new,rhel-6/freetype |pe=notaffected,rhel-5/freet
                   |=new,rhel-7/freetype=new    |ype=affected,rhel-6/freetyp
                   |                            |e=affected,rhel-7/freetype=
                   |                            |affected,rhev-m-3/mingw-vir
                   |                            |t-viewer=affected,fedora-al
                   |                            |l/freetype=affected,fedora-
                   |                            |all/mingw-freetype=affected
                   |                            |,epel-7/mingw-freetype=affe
                   |                            |cted
           Severity|medium                      |low

--- Comment #3 from Tomas Hoger <thoger at redhat.com> ---
Upstream bug is:

https://savannah.nongnu.org/bugs/?43672

Issue was fixed upstream in 2.5.4.

The issue here starts as a simple short buffer over-read.  Existing check to
ensure enough input data is still available was incorrect:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n102

The length <= 6 only takes into account the previously read header:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n96

p is later incremented by 8 (but only the first two bytes are actually
read/accessed):

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n115

However, when length is too short, p_next may be less than p, which leads to
integer underflow in (p_next - p) in this num_pairs check:

http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/sfnt/ttkern.c?id=73be9f9#n118

The check aims to prevent further over-reads.  Underflow bypasses the check and
makes it possible to read 6 * 0xffff bytes (num_pairs is short).  Crash should
be possible.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=tF3G75kooU&a=cc_unsubscribe