Microsoft Windows – Uniscribe Font Processing Heap Memory Corruption in ‘USP10!MergeLigRecords’ (MS17-011)

  • 作者: Google Security Research
    日期: 2017-03-20
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/41650/
  • Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2
    
    We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy() function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file:
    
    ---
    (2bd0.637c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0929a000 ebx=09299fa0 ecx=00000009 edx=00000002 esi=09299fda edi=092b7914
    eip=76bc9b60 esp=0015f534 ebp=0015f53c iopl=0 nv up ei pl nz na po nc
    cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
    msvcrt!memcpy+0x5a:
    76bc9b60 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
    0:000> kb
    ChildEBP RetAddrArgs to Child
    0015f53c 751f777d 092b7914 09299fda 00000026 msvcrt!memcpy+0x5a
    0015f554 751f74e9 0928ffd0 0928f9d0 0015f5f0 USP10!MergeLigRecords+0x14d
    0015f5b4 751f7044 0000001a 09223d88 09233fa8 USP10!LoadTTOArabicShapeTables+0x3f9
    0015f5c8 751fc5f4 a60118b0 09223d88 09216124 USP10!LoadArabicShapeTables+0xd4
    0015f5e4 751ea5a0 a60118b0 0928f7d0 0000001a USP10!ArabicLoadTbl+0xd4
    0015f608 751ea692 09216124 a60118b0 0000001a USP10!UpdateCache+0xb0
    0015f61c 751f152d a60118b0 09216000 751f15db USP10!ScriptCheckCache+0x62
    0015f628 751f15db 00000001 00000001 092162e8 USP10!GetShapeFunction+0xd
    0015f660 751f2b14 00000001 00000000 0015f6e0 USP10!RenderItemNoFallback+0x5b
    0015f68c 751f2da2 00000001 00000000 0015f6e0 USP10!RenderItemWithFallback+0x104
    0015f6b0 751f4339 00000000 0015f6e0 09216124 USP10!RenderItem+0x22
    0015f6f4 751e7a04 000004a0 00000400 a60118b0 USP10!ScriptStringAnalyzeGlyphs+0x1e9
    0015f70c 76ca5465 a60118b0 09216040 0000000a USP10!ScriptStringAnalyse+0x284
    0015f758 76ca5172 a60118b0 0015fb40 0000000a LPK!LpkStringAnalyse+0xe5
    0015f854 76ca1410 a60118b0 00000000 00000000 LPK!LpkCharsetDraw+0x332
    0015f888 763c18b0 a60118b0 00000000 00000000 LPK!LpkDrawTextEx+0x40
    0015f8c8 763c22bf a60118b0 000000c0 00000000 USER32!DT_DrawStr+0x13c
    0015f914 763c21f2 a60118b0 0015fb40 0015fb54 USER32!DT_GetLineBreak+0x78
    0015f9c0 763c14d4 a60118b0 00000000 0000000a USER32!DrawTextExWorker+0x255
    0015f9e4 763c2475 a60118b0 0015fb40 ffffffff USER32!DrawTextExW+0x1e
    0015fa18 010e6a5c a60118b0 0015fb40 ffffffff USER32!DrawTextW+0x4d
    [...]
    0:000> dd esi
    09299fda03e003df 03df03ea 03df0382 03df0384
    09299fea03df0388 03e0038e 03e00382 03e00384
    09299ffa03e00388 ???????? ???????? ????????
    0929a00a???????? ???????? ???????? ????????
    0929a01a???????? ???????? ???????? ????????
    0929a02a???????? ???????? ???????? ????????
    0929a03a???????? ???????? ???????? ????????
    0929a04a???????? ???????? ???????? ????????
    0:000> dd edi
    092b7914???????? ???????? ???????? ????????
    092b7924???????? ???????? ???????? ????????
    092b7934???????? ???????? ???????? ????????
    092b7944???????? ???????? ???????? ????????
    092b7954???????? ???????? ???????? ????????
    092b7964???????? ???????? ???????? ????????
    092b7974???????? ???????? ???????? ????????
    092b7984???????? ???????? ???????? ????????
    ---
    
    The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
    
    Attached is a proof of concept malformed font file which triggers the crash.
    
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41650.zip