articles icon indicating copy to clipboard operation
articles copied to clipboard

Published 20 hours ago verified publisher icon xinali

fuzz CVE-2019-1127

Open xinali opened this issue 4 years ago • 0 comments

fuzz CVE-2019-1127

这篇来看一下CVE-2019-1127,问题为stack corruption in OpenType font handling due to negative nAxes

漏洞复现

搭建环境,简单复现一下

git clone https://github.com/adobe-type-tools/afdko
cd afdko
git checkout 2.8.8
cd c
bash buildalllinux.sh debug

根据给出的poc测试

1563885250311

来看看这几个参数

1563885329242

索引为负值,导致异常,那就看看i从何而来

1563885404722

继续

1563885427800

负值也进入循环了,看看边缘检查代码

1563885488513

只是检查了上限,但是没有检查下限。

再来看看nAxes的来源

#0  0x000000000057baf2 in do_set_weight_vector_cube (h=0x7ffffff5f5f0, nAxes=-100000) at ../../../../../source/t2cstr/t2cstr.c:1030
#1  0x00000000005804dc in t2Decode (h=0x7ffffff5f5f0, offset=19147) at ../../../../../source/t2cstr/t2cstr.c:1914
#2  0x000000000057d1ff in t2Decode (h=0x7ffffff5f5f0, offset=23565) at ../../../../../source/t2cstr/t2cstr.c:1412
#3  0x0000000000584529 in t2cParse (offset=23565, endOffset=23574, aux=0x612000000398, gid=2, cff2=0x62a000004f98, glyph=0x62c0000078d8, mem=0x62a000004f38) at ../../../../../source/t2cstr/t2cstr.c:2591
#4  0x000000000053379d in readGlyph (h=0x62a000000200, gid=2, glyph_cb=0x62c0000078d8) at ../../../../../source/cffread/cffread.c:2927
#5  0x00000000005339ef in cfrIterateGlyphs (h=0x62a000000200, glyph_cb=0x62c0000078d8) at ../../../../../source/cffread/cffread.c:2966
#6  0x0000000000522f8b in cfrReadFont (h=0x62c000000200, origin=0, ttcIndex=0) at ../../../../source/tx.c:151
#7  0x000000000052273a in doFile (h=0x62c000000200, srcname=0x7fffffffe662 "poc.otf") at ../../../../source/tx.c:429
#8  0x0000000000520d5d in doSingleFileSet (h=0x62c000000200, srcname=0x7fffffffe662 "poc.otf") at ../../../../source/tx.c:488
#9  0x00000000005195c7 in parseArgs (h=0x62c000000200, argc=2, argv=0x7fffffffe370) at ../../../../source/tx.c:558
#10 0x00000000005168ea in main (argc=2, argv=0x7fffffffe370) at ../../../../source/tx.c:1631
#11 0x00007ffff6ee5830 in __libc_start_main (main=0x516460 <main>, argc=3, argv=0x7fffffffe368, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe358) at ../csu/libc-start.c:291
#12 0x000000000041a849 in _start ()

回溯source/t2cstr/t2cstr.c:1914

case tx_SETWVN: {
	int numAxes = (int)POP();
	result = do_set_weight_vector_cube(h, numAxes);
	if (result || !(h->flags & FLATTEN_CUBE))
	return result;
} break;

可以发现nAxes是从栈中弹出来的,为以后利用也就提供了便利。

fuzz 代码

CVE-2019-1118CVE-2019-1117

参考

Microsoft DirectWrite / AFDKO stack corruption in OpenType font handling due to negative nAxes

xinali avatar Jun 12 '20 01:06 xinali