CESA-2006-001

CESA-2006-001 - rev 2

[See all my vulnerabilities at http://scary.beasts.org/security]

freetype font parsing vulnerabilities

Programs affected: freetype-2.1.10 and older.
Severity: Possible arbitrary code execution.
Fixed: FreeType-2.2.1
CVE identifier(s): CVE-2006-1054 (integer overflows)

freetype is a popular font rending library. It contains parsers for various different types of fonts. Some of these font parsers contain security vulnerabilities which could be exploited to execute arbitrary code if a victim is coerced into decoding a malicious fonts file.

Possible attack vectors here include:

Desktop environments such as GNOME and KDE which have file managers which will parse font files in order to render previews.
Applications such as xpdf may use freetype to parse embedded font definitions.

Some specific example vulnerabilities are:

Uncharacterized crashes when black-box fuzzing ttf files and then parsing them via the "ftview" utility.
Example files causing crashes are bad300.ttf and bad636.ttf. The former would appear to cause a wild pointer; the latter a null pointer. These findings prompted source-code analysis of the freetype font parsers, which leads into the next vulnerabilities:
Integer overflows in BDF font file parser.
bdflib.c: p->cnt = font->glyphs_size = _bdf_atoul( p->list.field[1], 0, 10 ); ... if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) )
Demo file: bad1.bdf.
p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 ); if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )
glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
Demo file: bad2.bdf.
(At this point, it's worth noting that most of the integer overflows can be fixed by making the FT_NEW_ARRAY macro robust, which is nice).
Similar integer overflows in PCF font file parser.
Demo file (possibly; it certainly crashes - actual crash not correlated with dangerous FT_NEW_ARRAYs in code): bad1.pcf.
Possible integer overflows in Type1 font file parser.
t1load.c count = (FT_Int)T1_ToInt( parser ); ... if ( FT_NEW_ARRAY( encode->char_index, count ) || ...
(There's also an identical issue in t42parse.c)

CESA-2006-001 - rev 2
Chris Evans
scarybeasts@gmail.com