A heap-based out-of-bounds read was observed in OracleJavaRuntimeEnvironment version 8u202 (latest at the time of this writing)while fuzz-testing the processing of TrueTypefonts. It manifests itself in the form of the following (or similar) crash:--- cut ---Iteration(0,0)Iteration(0,1)
#
# A fatal error has been detected by the JavaRuntimeEnvironment:
#
#SIGSEGV(0xb) at pc=0x00007f857116fde3, pid=31542, tid=0x00007f85a5a70700
#
# JRE version:Java(TM)SERuntimeEnvironment(8.0_202-b08)(build 1.8.0_202-b08)
# JavaVM:JavaHotSpot(TM)64-BitServerVM(25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C[libt2k.so+0x4cde3]ExtractBitMap_blocClass+0xcc3
#
# Failedtowrite core dump. Core dumps have been disabled. To enable core dumping,try"ulimit -c unlimited" before starting Java again
#
# An error report file withmore information is saved as:
# jre/8u202/hs_err_pid31542.log
#
# If you would like tosubmit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the JavaVirtualMachine in native code.
# See problematic frame for where toreport the bug.
#
Aborted--- cut ---Under gdb, we can find out that the ExtractBitMap_blocClass function attempts toaccess an invalid memory region:--- cut ---
gdb$ c
Continuing.
Iteration(0,0)Iteration(0,1)Thread2"java" received signal SIGSEGV,Segmentation fault.[----------------------------------registers-----------------------------------]RAX:0x96e40('@n\t')RBX:0x100c4RCX:0x12dc8RDX:0x757969c4RSI:0x7ffff02f7238-->0x7840201008[...][-------------------------------------code-------------------------------------]0x7fffbf616ddb<ExtractBitMap_blocClass+3259>: movecx,eax
0x7fffbf616ddd<ExtractBitMap_blocClass+3261>: sarecx,0x30x7fffbf616de0<ExtractBitMap_blocClass+3264>: movsxd rcx,ecx
=>0x7fffbf616de3<ExtractBitMap_blocClass+3267>: movzxedi,BYTEPTR[rsi+rcx*1]0x7fffbf616de7<ExtractBitMap_blocClass+3271>: cmpedx,r8d
0x7fffbf616dea<ExtractBitMap_blocClass+3274>: jl 0x7fffbf616dd0<ExtractBitMap_blocClass+3248>0x7fffbf616dec<ExtractBitMap_blocClass+3276>: movecx,r11d
0x7fffbf616def<ExtractBitMap_blocClass+3279>: movr13d,0x80[------------------------------------stack-------------------------------------][...][------------------------------------------------------------------------------]Legend: code, data, rodata, value
Stopped reason:SIGSEGV0x00007fffbf616de3 in ExtractBitMap_blocClass() from jre/8u202/lib/amd64/libt2k.so
--- cut ---The crash reproduces on both Windows and Linuxplatforms. OnWindows, the crash manifests in the following way:--- cut ---(5218.154c):Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2155:00007ffa`0b8eb651 468a1c20mov r11b,byte ptr [rax+r12] ds:00000000`64c09000=??0:004>? rax
Evaluate expression:84720=00000000`00014af0
0:004>? r12
Evaluate expression:1690256656=00000000`64bf4510
0:004> k
# Child-SPRetAddrCallSite0000000000`04a8e9d0 00007ffa`0b8ebf92 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x21550100000000`04a8eaa0 00007ffa`0b8e8e05 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2a960200000000`04a8eb80 00007ffa`0b8e9011 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0xd4fd0300000000`04a8ebf0 00007ffa`0b8daeab t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0xd7090400000000`04a8ec90 00000000`04f18d27 t2k!Java_sun_font_T2KFontScaler_getGlyphImageNative+0x1630500000000`04a8ed60 00000000`02a3e1f8 0x4f18d270600000000`04a8ed68 00000000`04a8ee48 0x2a3e1f80700000000`04a8ed70 00000000`5c36dff8 0x4a8ee480800000000`04a8ed78 00000000`000000000x5c36dff8--- cut ---Attachedwiththis report are three mutated testcases, and a simple Java program used toreproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46411.zip
