扫码分享
验证:
体验盒子Source: https://code.google.com/p/google-security-research/issues/detail?id=614
The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
$ ftbench <file>
Attached are three POC files which trigger the conditions.
---
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b
ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------
family: (null)
style: (null)
number of seconds for each test: 2.000000
starting glyph index: 0
face size: 10ppem
font preloading into memory: no
load flags: 0x0
render mode: 0
CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte
executing tests:
Load=================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
#0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
#1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9
0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
#0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
#2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
#3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
#4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
#5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
#6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9
SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone:fb
Freed heap region: fd
Stack left redzone:f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return:f5
Stack use after scope: f8
Global redzone:f9
Global init order: f6
Poisoned by user:f7
Container overflow:fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
==22366==ABORTING
---
The issue was reported in https://savannah.nongnu.org/bugs/?46379.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38662.zip
体验盒子
