You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please excuse my poor English. I'm not a native speaker. I will do my best to describe this bug.
I tested on sytem
windows 10 professional
v1903 x64 bit
fontsub.dll version: 10.0.18362.239
fontsub background
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. I have tested CreateFontPackage with a fuzzer.
Please reproduce with page heap disabled.
crash
run with a specific ttf file, then crash
0:000> g
ModLoad: 00007ffe`d90d0000 00007ffe`d916e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe`d2eb0000 00007ffe`d2ed2000 C:\WINDOWS\system32\fontsub.dll
(39c.32e8): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 6D7:0
fontsub!GetGlyphIdx+0x97:
00007ffe`d2ebc5d3 0fb70447 movzx eax,word ptr [rdi+rax*2] ds:0000019c`f43ffffa=????
0:000> kb
# RetAddr : Args to Child : Call Site
00 00007ffe`d2ec397c : 0000019c`f4591470 00000090`d99ef8a0 0000019c`f4595bd0 00000000`00000005 : fontsub!GetGlyphIdx+0x97
01 00007ffe`d2eb712c : 0000019c`f4591460 0000019c`f4591460 ffffffff`ffffffff 00000090`d99efa78 : fontsub!MakeKeepGlyphList+0x478
02 00007ffe`d2eb6f89 : 0000019c`f4591460 00000090`d99efc41 00000000`00000001 00000000`00000001 : fontsub!CreateDeltaTTFEx+0x168
03 00007ffe`d2eb13fa : 00000000`00000000 00000000`00000000 00004f9e`ffa0166d 00000000`00000000 : fontsub!CreateDeltaTTF+0x2c9
04 00007ff7`804811a2 : 00000000`00000000 00000000`00000000 0000019c`f3fc5710 0000019c`f3fc0d00 : fontsub!CreateFontPackage+0x15a
05 00007ff7`804812d4 : 00000000`00000002 9c000000`00000000 00000000`00000000 00007ff7`80481bad : FuzzCreateFontPackage!JustTestCreate+0x1a2
Microsoft Font Subsetting DLL heap-based out-of-bounds read in CreateFontPackage(in fontsub!GetGlyphIdx)
前段时间fuzz出来的,被PJ0大神撞了,大神被赋予的CVE编号:CVE-2019-1148
Please excuse my poor English. I'm not a native speaker. I will do my best to describe this bug.
I tested on sytem
fontsub background
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. I have tested
CreateFontPackage
with a fuzzer.Please reproduce with page heap disabled.
crash
run with a specific ttf file, then crash
crash in
fontsub!GetGlyphIdx
crash analysis
check
rdi+rax+2
is???????? ????????
what cause this?
so
rdi+rax*2
read out of bound.fix
how to fix?
r8
fromcall cs:__imp_bsearch
, thenr8+6
move toeax
, eax do some calculationeax
compare withecx
, code check its high limit, but code does not check low limit.so code should check
eax
low limit, because you can not be sureeax
always is positive.using a specific ttf file, it may cause some information disclosure.
The text was updated successfully, but these errors were encountered: