segfault in libgraphite2 graphite2::Slot::prev()

[gsharpsh00ter]

0x01 Description

In libgraphite2 version 1.3.11 and the master branch, a segment fault vulnerability was found in graphite2::Slot::prev(), which may allow attackers to cause a denial of service or possibly other impact via a crafted font type file.

0x02 How to reproduce

This issue can be reproduced by the following command:
gr2fonttest $POC -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003

0x03 Debugging Information

gzq@ubuntu:~/fuzz/tmp/graphite/build/gr2fonttest$ gdb -q ./gr2fonttest
Reading symbols from ./gr2fonttest...done.
(gdb) r libgraphite2-segfault-graphite2::Slot::prev-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/fuzz/tmp/graphite/build/gr2fonttest/gr2fonttest libgraphite2-segfault-graphite2::Slot::prev-1.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc635e in graphite2::Slot::prev (this=<optimized out>, s=<optimized out>) at /home/gzq/fuzz/tmp/graphite/src/inc/Slot.h:88
88	    void prev(Slot *s) { m_prev = s; }
(gdb) bt
#0  0x00007ffff7bc635e in graphite2::Slot::prev (this=<optimized out>, s=<optimized out>) at /home/gzq/fuzz/tmp/graphite/src/inc/Slot.h:88
#1  graphite2::Segment::reverseSlots (this=this@entry=0x5555557800e0) at /home/gzq/fuzz/tmp/graphite/src/Segment.cpp:357
#2  0x00007ffff7bab2d2 in graphite2::Segment::finalise (reverse=true, font=0x555555771520, this=0x5555557800e0) at /home/gzq/fuzz/tmp/graphite/src/inc/Segment.h:213
#3  (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555771570, enc=gr_utf8, pFeats=0x555555780080, script=0, face=<optimized out>, font=0x555555771520) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:51
#4  gr_make_seg (font=0x555555771520, face=<optimized out>, script=<optimized out>, pFeats=0x555555780080, enc=gr_utf8, pStart=0x555555771570, nChars=19, dir=1) at /home/gzq/fuzz/tmp/graphite/src/gr_segment.cpp:105
#5  0x0000555555557109 in Parameters::testFileFont (this=0x7fffffffe220) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:700
#6  0x0000555555555f98 in main (argc=29, argv=0x7fffffffe398) at /home/gzq/fuzz/tmp/graphite/gr2fonttest/gr2FontTest.cpp:810

For security consideration, the poc file attached is encrypted with a password which I have sent to you.

0x04 Author

This issue is reported by Ziqiang Gu from WeiRan Labs.

0x05 POC
libgraphite2-segfault-graphite2__Slot__prev-1.zip

[mhosken]

The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem.