Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
There is a DOS vulnerability in the TTF parser. Maliciously crafted TTF files can cause the program to utilize 100% of the Memory and enter an infinite loop. This can also lead to a heap-buffer-overflow vulnerability.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
./testttf testttf-dos.ttf will recreate this vulnerability
An infinite loop occurs in the read_camp function by nGroups value. The ttf.h library is vulnerable. A value called nGroups is extracted from the file, and by changing that value, you can cause the program to utilize 100% of the Memory and enter an infinite loop. If the value of nGroups in the file is small, an infinite loop will not occur.
|
for (gidx = 0, group = groups, font->num_cmap = 0; gidx < nGroups; gidx ++, group ++) |
$./testttf testttf-dos.ttf
=================================================================
==3694772==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d200 at pc 0x5586b4f44716 bp 0x7ffcadf02190 sp 0x7ffcadf02188
WRITE of size 4 at 0x60200000d200 thread T0
#0 0x5586b4f44715 in read_cmap /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/ttf.c:1465:27
#1 0x5586b4f44715 in ttfCreate /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/ttf.c:374:8
#2 0x5586b4f4d37b in test_font /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/testttf.c:123:15
#3 0x5586b4f4d110 in main /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/testttf.c:43:17
#4 0x7f550029ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7f550029ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x5586b4e7f364 in _start (/home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/testttf+0x20364) (BuildId: 2de0da7285d06a9ef0d37f51db0aab8afc1a4fd2)
Address 0x60200000d200 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/ttf.c:1465:27 in read_cmap
Shadow bytes around the buggy address:
0x0c047fff99f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9a40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cbPoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
You can download testttf-dos.ttf from https://files.catbox.moe/jy13a4.ttf or from the zip file below.
testttf-dos.ttf.zip
$ curl https://files.catbox.moe/bzl6d5.ttf > testttf-dos.ttf && shasum -a 256 testttf-dos.ttf
31ab0983559e082b7b32e35d993b30e32c2e346b58ec7681d3a05cb0c8ec9ed4 testttf-dos.ttf
$ ./testttf testttf-dos.ttf
Impact
What kind of vulnerability is it? Who is impacted?
This library, whether used as a standalone binary or as part of another application, is vulnerable to DOS attacks when parsing certain types of files. Automated systems, including web servers that use this code to convert PDF submissions into plaintext, can be DOSed if an attacker uploads a malicious TTF file. This can also lead to a heap-buffer-overflow vulnerability.
Credits
배송현 ( Song Hyun Bae )
배준서 ( Jun Seo Bae )
조재호 ( Jae Ho Cho )
이동하 ( Lee Dong Ha )
bshyuunn Reporter
V0xe1 Reporter
Jaecho6053 Reporter
GAP-dev Reporter
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
There is a DOS vulnerability in the TTF parser. Maliciously crafted TTF files can cause the program to utilize 100% of the Memory and enter an infinite loop. This can also lead to a heap-buffer-overflow vulnerability.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
./testttf testttf-dos.ttfwill recreate this vulnerabilityAn infinite loop occurs in the read_camp function by nGroups value. The ttf.h library is vulnerable. A value called nGroups is extracted from the file, and by changing that value, you can cause the program to utilize 100% of the Memory and enter an infinite loop. If the value of nGroups in the file is small, an infinite loop will not occur.
pdfio/ttf.c
Line 1365 in 0c1122b
$./testttf testttf-dos.ttf ================================================================= ==3694772==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d200 at pc 0x5586b4f44716 bp 0x7ffcadf02190 sp 0x7ffcadf02188 WRITE of size 4 at 0x60200000d200 thread T0 #0 0x5586b4f44715 in read_cmap /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/ttf.c:1465:27 #1 0x5586b4f44715 in ttfCreate /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/ttf.c:374:8 #2 0x5586b4f4d37b in test_font /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/testttf.c:123:15 #3 0x5586b4f4d110 in main /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/testttf.c:43:17 #4 0x7f550029ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #5 0x7f550029ee3f in __libc_start_main csu/../csu/libc-start.c:392:3 #6 0x5586b4e7f364 in _start (/home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/testttf+0x20364) (BuildId: 2de0da7285d06a9ef0d37f51db0aab8afc1a4fd2) Address 0x60200000d200 is a wild pointer inside of access range of size 0x000000000004. SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bshyuunn/fuzzing/pdfio/pdfio1.3.0/pdfio/ttf.c:1465:27 in read_cmap Shadow bytes around the buggy address: 0x0c047fff99f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9a40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cbPoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
You can download testttf-dos.ttf from https://files.catbox.moe/jy13a4.ttf or from the zip file below.
testttf-dos.ttf.zip
Impact
What kind of vulnerability is it? Who is impacted?
This library, whether used as a standalone binary or as part of another application, is vulnerable to DOS attacks when parsing certain types of files. Automated systems, including web servers that use this code to convert PDF submissions into plaintext, can be DOSed if an attacker uploads a malicious TTF file. This can also lead to a heap-buffer-overflow vulnerability.
Credits
배송현 ( Song Hyun Bae )
배준서 ( Jun Seo Bae )
조재호 ( Jae Ho Cho )
이동하 ( Lee Dong Ha )