articles
articles copied to clipboard
Published
20 hours ago •
xinali
xinali
heap-based out-of-bounds read when parsing otf file with undefined glyph name in svg option(AFDKO)
heap-based out-of-bounds read when parsing otf file with undefined glyph name in svg option(AFDKO)
前段时间fuzz出来的,提给adobe的issue,目前已经被修复了,其中指针追踪挺有意思的
0x1 Segment Fault
Please excuse my poor English. I'm not a native speaker. I will do my best to describe this issue.
In lates commit ad786a1bfbaa11a2e14dca3cdd95a66da8f824fc
use clang compile with debug option
compile tx in c/tx/build/linux/gcc/debug/
make clean && CC=clang make
then use tx to parse a specific otf file
tx -svg poc.otf
tx segment fault
tx: --- poc.otf
tx: (cfr) invalid fvar table version
tx: (cfr) invalid/missing hhea table
tx: (cfr) name table missing
tx: (cfr) axis count in variation font region list does not match axis count in fvar table
tx: (cfr) Warning: CharString of GID 2 is 68301 bytes long. CharStrings longer than 65535 bytes might not be supported by some implementations.
Segmentation fault (core dumped)
0x2 Dynamic Analysis
I use pwndbg to debug
#0 __strcmp_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
#1 0x0000000000476360 in matchName ()
#2 0x00007ffff773b207 in __GI_bsearch (__key=0x0, __base=0x4ca870 <mapName2UV.agl>, __nmemb=<optimized out>, __size=16, __compar=0x476340 <matchName>) at ../bits/stdlib-bsearch.h:33
#3 0x0000000000475aa7 in mapName2UV ()
#4 0x0000000000478c60 in svg_GlyphBeg ()
#5 0x000000000046f43b in otfGlyphBeg ()
#6 0x0000000000413468 in readGlyph (h=0x6f8f30, gid=0, glyph_cb=0x6f3690) at ../../../../../source/cffread/cffread.c:2877
#7 0x0000000000413395 in cfrIterateGlyphs (h=0x6f8f30, glyph_cb=0x6f3690) at ../../../../../source/cffread/cffread.c:2930
#8 0x0000000000405b91 in cfrReadFont (h=0x6ec010, origin=0, ttcIndex=0) at ../../../../source/tx.c:151
#9 0x00000000004058bf in doFile (h=0x6ec010, srcname=0x7fffffffe6dc "poc.otf") at ../../../../source/tx.c:429
#10 0x0000000000404f3e in doSingleFileSet (h=0x6ec010, srcname=0x7fffffffe6dc "poc.otf") at ../../../../source/tx.c:488
#11 0x0000000000402d89 in parseArgs (h=0x6ec010, argc=2, argv=0x7fffffffe400) at ../../../../source/tx.c:558
#12 0x0000000000401c27 in main (argc=2, argv=0x7fffffffe400) at ../../../../source/tx.c:1587
#13 0x00007ffff7724830 in __libc_start_main (main=0x401a60 <main>, argc=3, argv=0x7fffffffe3f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3e8) at ../csu/libc-start.c:291
#14 0x0000000000401989 in _start ()
then I do some analysis, I found when tx parse the specific otf file with no glyph name, tx will occur segment fault.
debug the issue, set breakpoint in cffread.c:2877
hit the breakpoint
In file: /root/tmp/afdko/c/public/lib/source/cffread/cffread.c
2872 abfGlyphInfo *info = &h->glyphs.array[gid];
2873 t2cAuxData *aux = &h->FDArray.array[info->iFD].aux;
2874 cff2GlyphCallbacks *cff2_cb = NULL;
2875
2876 /* Begin glyph and mark it as seen */
► 2877 result = glyph_cb->beg(glyph_cb, info); <====
2878 info->flags |= ABF_GLYPH_SEEN;
2879 info->blendInfo.vsindex = aux->default_vsIndex;
2880
2881 /* Check result */
2882 switch (result) {
─────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffddd0 ◂— 0x4
01:0008│ 0x7fffffffddd8 —▸ 0x46ba90 (mem_manage) ◂— push rbp
02:0010│ 0x7fffffffdde0 ◂— 0x0
03:0018│ 0x7fffffffdde8 —▸ 0x7ffff777c77b (_IO_file_seekoff+699) ◂— cmp r12, rax
04:0020│ 0x7fffffffddf0 ◂— 0x2
05:0028│ 0x7fffffffddf8 ◂— 0x0
... ↓
07:0038│ 0x7fffffffde08 —▸ 0x6fe178 ◂— 0x4
───────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 41344f readGlyph+111
f 1 413395 cfrIterateGlyphs+117
f 2 405b91 cfrReadFont+561
f 3 4058bf doFile+879
f 4 404f3e doSingleFileSet+46
f 5 402d89 parseArgs+425
f 6 401c27 main+455
f 7 7ffff7724830 __libc_start_main+240
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Breakpoint cffread.c:2877
call a function pointer glyph_cb->beg, step into, enter otfGlyphBeg
in otfGlyphBeg+121, it call another function pointer
0x46f404 <otfGlyphBeg+68> je otfGlyphBeg+102 <0x46f426>
↓
0x46f426 <otfGlyphBeg+102> mov rax, qword ptr [rbp - 0x18]
0x46f42a <otfGlyphBeg+106> mov rax, qword ptr [rax + 0x7708]
0x46f431 <otfGlyphBeg+113> mov rdi, qword ptr [rbp - 8]
0x46f435 <otfGlyphBeg+117> mov rsi, qword ptr [rbp - 0x10]
► 0x46f439 <otfGlyphBeg+121> call rax <0x478bb0>
rdi: 0x6f3690 —▸ 0x6f37f0 ◂— 0x0
rsi: 0x70b2d0 ◂— 0x0
0x46f43b <otfGlyphBeg+123> add rsp, 0x20
0x46f43f <otfGlyphBeg+127> pop rbp
0x46f440 <otfGlyphBeg+128> ret
0x46f441 nop word ptr cs:[rax + rax]
0x46f450 <bufSeek> push rbp
step into, in svg_GlyphBeg+171 , it call another function pointer
0x478c46 <svg_GlyphBeg+150> mov rsi, qword ptr [rax + 8]
0x478c4a <svg_GlyphBeg+154> mov rax, qword ptr [rbp - 0x18]
0x478c4e <svg_GlyphBeg+158> add rax, 0x6b78
0x478c54 <svg_GlyphBeg+164> add rax, 0x10
0x478c58 <svg_GlyphBeg+168> mov rdx, rax
► 0x478c5b <svg_GlyphBeg+171> call mapName2UV <0x475a60>
rdi: 0x6ec010 —▸ 0x7fffffffe6d4 ◂— 0x6776732d007874 /* 'tx' */
rsi: 0x0
rdx: 0x6f2b98 ◂— 0xe000
rcx: 0xffff0004
0x478c60 <svg_GlyphBeg+176> movzx ecx, ax
0x478c63 <svg_GlyphBeg+179> mov edx, ecx
0x478c65 <svg_GlyphBeg+181> mov rsi, qword ptr [rbp - 0x10]
0x478c69 <svg_GlyphBeg+185> mov qword ptr [rsi + 0x20], rdx
0x478c6d <svg_GlyphBeg+189> mov rax, qword ptr [svwGlyphCallbacks+24] <0x4be940>
step into, in mapName2UV+66 , it calls a function named bsearch
0x475a91 <mapName2UV+49> mov qword ptr [rbp - 0x20], rdx
0x475a95 <mapName2UV+53> mov rdi, qword ptr [rbp - 0x18]
0x475a99 <mapName2UV+57> mov rsi, rax
0x475a9c <mapName2UV+60> mov rdx, r8
0x475a9f <mapName2UV+63> mov r8, r9
► 0x475aa2 <mapName2UV+66> call bsearch@plt <0x4018e0>
key: 0x0
base: 0x4ca870 (mapName2UV.agl) —▸ 0x4b1ab9 ◂— add byte ptr [rip + 0x462d0045], bpl /* 'A' */
nmemb: 0x41b
size: 0x10
compar: 0x476340 (matchName) ◂— push rbp
0x475aa7 <mapName2UV+71> mov qword ptr [rbp - 0x28], rax
0x475aab <mapName2UV+75> cmp qword ptr [rbp - 0x28], 0
0x475ab0 <mapName2UV+80> je mapName2UV+103 <0x475ac7>
0x475ab6 <mapName2UV+86> mov rax, qword ptr [rbp - 0x28]
0x475aba <mapName2UV+90> mov cx, word ptr [rax + 8]
key is const char* type, in bsearch, it will access the data of key. But key is 0x0, so it will segment fault.
0x3 Source Code Analysis
After analyzing source code, the issue call order
readGlyph/cffread.c:2877
|=> glyph_cb->beg =point=> otfGlyphBeg(tx_shared.c:4773)
|=> h->cb.saveGlyphBeg =point=> svg_GlyphBeg(tx_shared.c:2637)
|=> mapName2UV (tx_shared.c:1518)
|=> bsearch => Segment Fault
function mapName2UV
/* Map glyph name to Unicode value using simplified assignment algorithm. */
static unsigned short mapName2UV(txCtx h, char *gname, unsigned short *unrec) {
static const Name2UV agl[] =
{
#include "agl2uv.h"
};
Name2UV *map = (Name2UV *)bsearch(gname, agl, ARRAY_LEN(agl),
sizeof(Name2UV), matchName);
if (map != NULL)
return map->uv; /* Match found */
/* Not found */
if (strcmp(gname, ".notdef") == 0)
return 0xFFFF; /* No encoding for .notdef */
if (gname[0] == 'u' &&
gname[1] == 'n' &&
gname[2] == 'i' &&
isxdigit(gname[3]) && !islower(gname[3]) &&
isxdigit(gname[4]) && !islower(gname[4]) &&
isxdigit(gname[5]) && !islower(gname[5]) &&
isxdigit(gname[6]) && !islower(gname[6]) &&
gname[7] == '\0')
/* uni<CODE> name; return hex part */
return (unsigned short)strtol(&gname[3], NULL, 16);
/* return Private Use Area UV */
return (*unrec)++;
}
bsearch first parameter key is gname
function bsearch
_extern_inline void *
bsearch (const void *__key, const void *__base, size_t __nmemb, size_t __size,
__compar_fn_t __compar)
{
size_t __l, __u, __idx;
const void *__p;
int __comparison;
__l = 0;
__u = __nmemb;
while (__l < __u)
{
__idx = (__l + __u) / 2;
__p = (void *) (((const char *) __base) + (__idx * __size));
__comparison = (*__compar) (__key, __p); // do not check __key, then crash
if (__comparison < 0)
__u = __idx;
else if (__comparison > 0)
__l = __idx + 1;
else
return (void *) __p;
}
return NULL;
}
gname is in structure abfGlyphInfo, the structure defines inabsfont.h
typedef struct /* Glyph information */
{
short flags; /* Attribute flags */
#define ABF_GLYPH_CID (1 << 0) /* Glyph from CID-keyed font */
#define ABF_GLYPH_SEEN (1 << 1) /* Path data already returned to client */
#define ABF_GLYPH_UNICODE (1 << 2) /* Encoding is Unicode */
#define ABF_GLYPH_LANG_1 (1 << 3) /* Render with LanguageGroup 1 rules */
unsigned short tag; /* Unique tag */
abfString gname; /* Name-keyed: glyph name */ <======
abfEncoding encoding; /* Name-keyed: encoding list */
unsigned short cid; /* CID-keyed: CID */
uint16_t iFD; /* CID-keyed: FD index */
ctlRegion sup; /* Supplementary data */
struct {
unsigned short vsindex;
unsigned short maxstack;
unsigned short numRegions;
float *blendDeltaArgs;
} blendInfo; /* Supplementary data */
} abfGlyphInfo;
The gname come from otf font file, and all data is in heap. If someone use a specific otf file, it may cause some security issues with out of bound read.
If necessary, I can send you a proof of concept for this issue.
