Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap overflow in ttUSHORT in stb_truetype.h #867

Closed
sleicasper opened this issue Jan 6, 2020 · 2 comments
Closed

heap overflow in ttUSHORT in stb_truetype.h #867

sleicasper opened this issue Jan 6, 2020 · 2 comments
Labels
1 stb_truetype

Comments

@sleicasper
Copy link

ttUSHORT don't have any bound check, so heap overflow can be triggered.

souce0

source1

poc:
poc.zip

result:

=================================================================
==59598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000004dc at pc 0x0000004c2b5b bp 0x7fffffffd890 sp 0x7fffffffd888
READ of size 1 at 0x6190000004dc thread T0
    #0 0x4c2b5a  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4c2b5a)
    #1 0x4e13c0  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e13c0)
    #2 0x4d71a2  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4d71a2)
    #3 0x4e1b28  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e1b28)
    #4 0x7ffff6e24b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x41ad49  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x41ad49)

0x6190000004dc is located 4 bytes to the right of 1112-byte region [0x619000000080,0x6190000004d8)
allocated by thread T0 here:
    #0 0x492c4d  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x492c4d)
    #1 0x4e1ac8  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e1ac8)
    #2 0x7ffff6e24b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4c2b5a)
Shadow bytes around the buggy address:
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==59598==ABORTING

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x73be28 --> 0x0
RCX: 0x7ffff6e41e97 (<__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffffc8d0 --> 0x0
RDI: 0x2
RBP: 0x7fffffffd860 --> 0x7fffffffd890 --> 0x7fffffffd8d0 --> 0x7fffffffe120 --> 0x7fffffffe150 --> 0x7fffffffe340 (--> ...)
RSP: 0x7fffffffc8d0 --> 0x0
RIP: 0x7ffff6e41e97 (<__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffffc8d0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffffd890 --> 0x7fffffffd8d0 --> 0x7fffffffe120 --> 0x7fffffffe150 --> 0x7fffffffe340 --> 0x4f3870 (<__libc_csu_init>:	push   r15)
R13: 0x7fffffffd888 --> 0x7fff00000070
R14: 0x7fffffffd830 --> 0x6190000001ef --> 0x3e00070002000000
R15: 0x7ce288 --> 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6e41e8b <__GI_raise+187>:	mov    edi,0x2
   0x7ffff6e41e90 <__GI_raise+192>:	mov    eax,0xe
   0x7ffff6e41e95 <__GI_raise+197>:	syscall
=> 0x7ffff6e41e97 <__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108]
   0x7ffff6e41e9f <__GI_raise+207>:	xor    rcx,QWORD PTR fs:0x28
   0x7ffff6e41ea8 <__GI_raise+216>:	mov    eax,r8d
   0x7ffff6e41eab <__GI_raise+219>:	jne    0x7ffff6e41ecc <__GI_raise+252>
   0x7ffff6e41ead <__GI_raise+221>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc8d0 --> 0x0
0008| 0x7fffffffc8d8 --> 0x7fffffffe118 --> 0x0
0016| 0x7fffffffc8e0 --> 0x3200b5ff
0024| 0x7fffffffc8e8 --> 0x0
0032| 0x7fffffffc8f0 --> 0x0
0040| 0x7fffffffc8f8 --> 0x0
0048| 0x7fffffffc900 --> 0x0
0056| 0x7fffffffc908 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6e43801 in __GI_abort () at abort.c:79
#2  0x00000000004b0707 in __sanitizer::Abort() ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:154
#3  0x00000000004af0e1 in __sanitizer::Die() ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:58
#4  0x0000000000496c69 in ~ScopedInErrorReport ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:186
#5  0x00000000004983df in ReportGenericError ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:470
#6  0x0000000000498ab8 in __asan_report_load1 () at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:117
#7  0x00000000004c2b5b in ttUSHORT (p=0x6190000004dc "") at ./SRC/stb_truetype.h:1254
#8  0x00000000004e13c1 in stbtt_InitFont_internal (info=0x7fffffffe180, data=0x619000000080 "OTTO", fontstart=0x0)
    at ./SRC/stb_truetype.h:1422
#9  0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe180, data=0x619000000080 "OTTO", offset=0x0)
    at ./SRC/stb_truetype.h:4771
#10 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe428) at ../fuzzsrc/ttfuzz.c:29
#11 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe428,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe418)
    at ../csu/libc-start.c:310
#12 0x000000000041ad4a in _start ()
@carnil
Copy link

carnil commented Jan 10, 2020

CVE-2020-6621 was assigned for this issue.

@nothings
Copy link
Owner

nothings commented Jul 4, 2021

The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.

@nothings nothings closed this as completed Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 stb_truetype
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @nothings @sleicasper