Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap overflow in stbtt__buf_get8 in stb_truetype.h #868

Closed
sleicasper opened this issue Jan 6, 2020 · 2 comments
Closed

heap overflow in stbtt__buf_get8 in stb_truetype.h #868

sleicasper opened this issue Jan 6, 2020 · 2 comments
Labels
1 stb_truetype

Comments

@sleicasper
Copy link

stbtt__buf_get8 has heap overflow vulnerability.

source

poc:
poc.zip

result:

=================================================================
==60039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002810 at pc 0x0000004e639b bp 0x7fffffffd6d0 sp 0x7fffffffd6c8
READ of size 1 at 0x625000002810 thread T0
    #0 0x4e639a  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e639a)
    #1 0x4e7ad0  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e7ad0)
    #2 0x4e9f65  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e9f65)
    #3 0x4e10a4  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e10a4)
    #4 0x4d71a2  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4d71a2)
    #5 0x4e1b28  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e1b28)
    #6 0x7ffff6e24b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #7 0x41ad49  (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x41ad49)

Address 0x625000002810 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/casper/targets/struct/stb/dbg/fuzzrun/ttfuzz+0x4e639a)
Shadow bytes around the buggy address:
  0x0c4a7fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff84e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8500: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==60039==ABORTING

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x73be28 --> 0x0
RCX: 0x7ffff6e41e97 (<__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffffc710 --> 0x0
RDI: 0x2
RBP: 0x7fffffffd6a0 --> 0x7fffffffd6d0 --> 0x7fffffffd740 --> 0x7fffffffd770 --> 0x7fffffffd8d0 --> 0x7fffffffe120 (--> ...)
RSP: 0x7fffffffc710 --> 0x0
RIP: 0x7ffff6e41e97 (<__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffffc710 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffffd6d0 --> 0x7fffffffd740 --> 0x7fffffffd770 --> 0x7fffffffd8d0 --> 0x7fffffffe120 --> 0x7fffffffe150 (--> ...)
R13: 0x7fffffffd6c8 --> 0x7fffffffd948 --> 0x2700000027 --> 0x0
R14: 0x7fffffffd670 --> 0xffffffc6000001ba
R15: 0x7ce288 --> 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6e41e8b <__GI_raise+187>:	mov    edi,0x2
   0x7ffff6e41e90 <__GI_raise+192>:	mov    eax,0xe
   0x7ffff6e41e95 <__GI_raise+197>:	syscall
=> 0x7ffff6e41e97 <__GI_raise+199>:	mov    rcx,QWORD PTR [rsp+0x108]
   0x7ffff6e41e9f <__GI_raise+207>:	xor    rcx,QWORD PTR fs:0x28
   0x7ffff6e41ea8 <__GI_raise+216>:	mov    eax,r8d
   0x7ffff6e41eab <__GI_raise+219>:	jne    0x7ffff6e41ecc <__GI_raise+252>
   0x7ffff6e41ead <__GI_raise+221>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc710 --> 0x0
0008| 0x7fffffffc718 --> 0x7fffffffe118 --> 0x0
0016| 0x7fffffffc720 --> 0x940000c600006100
0024| 0x7fffffffc728 --> 0x1008e0000dd0000
0032| 0x7fffffffc730 --> 0x0
0040| 0x7fffffffc738 --> 0x0
0048| 0x7fffffffc740 --> 0x0
0056| 0x7fffffffc748 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff6e43801 in __GI_abort () at abort.c:79
#2  0x00000000004b0707 in __sanitizer::Abort() ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:154
#3  0x00000000004af0e1 in __sanitizer::Die() ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:58
#4  0x0000000000496c69 in ~ScopedInErrorReport ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:186
#5  0x00000000004983df in ReportGenericError ()
    at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_report.cc:470
#6  0x0000000000498ab8 in __asan_report_load1 () at /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:117
#7  0x00000000004e639b in stbtt__buf_get8 (b=0x7fffffffd920) at ./SRC/stb_truetype.h:1105
#8  0x00000000004e7ad1 in stbtt__buf_get (b=0x7fffffffd920, n=0x2) at ./SRC/stb_truetype.h:1132
#9  0x00000000004e9f66 in stbtt__cff_get_index (b=0x7fffffffd920) at ./SRC/stb_truetype.h:1162
#10 0x00000000004e10a5 in stbtt_InitFont_internal (info=0x7fffffffe180, data=0x625000000100 "OTTO", fontstart=0x0)
    at ./SRC/stb_truetype.h:1405
#11 0x00000000004d71a3 in stbtt_InitFont (info=0x7fffffffe180, data=0x625000000100 "OTTO", offset=0x0)
    at ./SRC/stb_truetype.h:4771
#12 0x00000000004e1b29 in main (argc=0x2, argv=0x7fffffffe428) at ../fuzzsrc/ttfuzz.c:29
#13 0x00007ffff6e24b97 in __libc_start_main (main=0x4e18f0 <main>, argc=0x2, argv=0x7fffffffe428,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe418)
    at ../csu/libc-start.c:310
#14 0x000000000041ad4a in _start ()
@carnil
Copy link

carnil commented Jan 10, 2020

CVE-2020-6620 was assigned for this issue.

@nothings
Copy link
Owner

nothings commented Jul 4, 2021

The documentation for the library was modified in 2020 to make clear it is intentionally insecure, and fixing issues like this is out of scope.

@nothings nothings closed this as completed Jul 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 stb_truetype
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @nothings @sleicasper