CESA-2006-001 - rev 2

[See all my vulnerabilities at http://scary.beasts.org/security]

freetype font parsing vulnerabilities

Programs affected: freetype-2.1.10 and older.
Severity: Possible arbitrary code execution.
Fixed: FreeType-2.2.1
CVE identifier(s): CVE-2006-1054 (integer overflows)

freetype is a popular font rending library. It contains parsers for various different types of fonts. Some of these font parsers contain security vulnerabilities which could be exploited to execute arbitrary code if a victim is coerced into decoding a malicious fonts file.

Possible attack vectors here include:

Some specific example vulnerabilities are:
  1. Uncharacterized crashes when black-box fuzzing ttf files and then parsing them via the "ftview" utility.

    Example files causing crashes are bad300.ttf and bad636.ttf. The former would appear to cause a wild pointer; the latter a null pointer. These findings prompted source-code analysis of the freetype font parsers, which leads into the next vulnerabilities:

  2. Integer overflows in BDF font file parser.

    p->cnt = font->glyphs_size = _bdf_atoul( p->list.field[1], 0, 10 );
    if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) )

    Demo file: bad1.bdf.

    p->cnt = p->font->props_size = _bdf_atoul( p->list.field[1], 0, 10 );
    if ( FT_NEW_ARRAY( p->font->props, p->cnt ) )

    glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
    glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );

    Demo file: bad2.bdf.

    (At this point, it's worth noting that most of the integer overflows can be fixed by making the FT_NEW_ARRAY macro robust, which is nice).

  3. Similar integer overflows in PCF font file parser.
    Demo file (possibly; it certainly crashes - actual crash not correlated with dangerous FT_NEW_ARRAYs in code): bad1.pcf.
  4. Possible integer overflows in Type1 font file parser.
    count = (FT_Int)T1_ToInt( parser );
    if ( FT_NEW_ARRAY( encode->char_index, count ) || ...

    (There's also an identical issue in t42parse.c)

CESA-2006-001 - rev 2
Chris Evans