Avast! – Integer Overflow Verifying numFonts in TTC Header

• Exploit Database
• 35 阅读

• 作者： Google Security Research
  日期： 2015-12-10
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38934/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=549
  
  If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.
  
  The TTC file format is described here https://www.microsoft.com/typography/otspec/otff.htm
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38934.zip