Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
45162.poc
README.md

README.md

CVE-2010-4259

Experiment Environment

Ubuntu 10.04 LTS

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2010-4259/fontforge_0.0.20100501.orig.tar.bz2
tar -xvf fontforge_0.0.20100501.orig.tar.bz2
cd fontforge-20100501/
./configure --prefix="$PWD/install"
make
make install

Problems in Installation & Configuration

How to trigger vulnerability

cd install/bin/
./fontforge 45162.poc

PoCs

FontForge - '.BDF' Font File Stack Buffer Overflow (PoC)

FontForge Bitmap Distribution Format (.BDF) Font File Stack-Based Buffer Overflow Vulnerability

Vulnerability Patch

Root Cause

Stack-based buffer overflow in FontForge 20100501 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long CHARSET_REGISTRY header in a BDF font file.

 	else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
	    sscanf(buf, "%[^\"]", encname );

Stack Trace

Patch

--- fontforge/fontforge/fvimportbdf.c	15 Apr 2010 10:47:36 -0000	1.58
+++ fontforge/fontforge/fvimportbdf.c	3 Dec 2010 21:03:38 -0000
@@ -560,7 +560,7 @@
 	}
     
 	if ( strcmp(tok,"FONT")==0 ) {
-	    if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+	    if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
 		char *pt=buf;
 		int dcnt=0;
 		while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
@@ -616,26 +616,30 @@
 	    sscanf(buf, "%d", &defs->metricsset );
 	else if ( strcmp(tok,"VVECTOR")==0 )
 	    sscanf(buf, "%*d %d", &defs->vertical_origin );
+	/* For foundry, fontname and encname, only copy up to the buffer size */
 	else if ( strcmp(tok,"FOUNDRY")==0 )
-	    sscanf(buf, "%[^\"]", foundry );
+	    sscanf(buf, "%99[^\"]", foundry );
 	else if ( strcmp(tok,"FONT_NAME")==0 )
-	    sscanf(buf, "%[^\"]", fontname );
+	    sscanf(buf, "%99[^\"]", fontname );
 	else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
-	    sscanf(buf, "%[^\"]", encname );
+	    sscanf(buf, "%99[^\"]", encname );
 	else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
 	    enc = 0;
 	    if ( sscanf(buf, " %d", &enc )!=1 )
 		sscanf(buf, "%d", &enc );
+	/* These properties should be copied up to the buffer length too */
 	} else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
-	    strcpy(family,buf);
+	    strncpy(family,buf,99);
 	} else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
-	    strcpy(full,buf);
+	    strncpy(full,buf,99);
 	} else if ( strcmp(tok,"WEIGHT_NAME")==0 )
-	    strcpy(weight,buf);
+	    strncpy(weight,buf,99);
 	else if ( strcmp(tok,"SLANT")==0 )
-	    strcpy(italic,buf);
+	    strncpy(italic,buf,99);
 	else if ( strcmp(tok,"COPYRIGHT")==0 ) {
-	    strcpy(comments,buf);
+		/* LS: Assume the size of the passed-in buffer is 1000, see below in
+		 * COMMENT */
+	    strncpy(comments,buf,999);
 	    found_copyright = true;
 	} else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
 	    char *pt = comments+strlen(comments);

References

CVE-2010-4259 FontForge: Stack-based buffer overflow by processing specially-crafted CHARSET_REGISTRY font file header

You can’t perform that action at this time.