redpig.dataspill.org: Cross-platform font rendering mayhem

»Late 2008, I reported CVE-2009-2468 to Apple when I reported oCERT-2009-001/CVE-2009-1194 to Mozilla. It turns out that not only can you not trust font libraries with user-supplied fonts (duh), but you also can't trust them to safely handle any externally sourced behavior. In the case of Pango, there was a clear integer overflow when computing the memory allocation for the textrun size. Firefox was largely unaffected because it only used the allocated memory once and never afforded the chance to overwrite the undersized allocation. However, this same behavior was seen in Apple's CoreGraphics library which meant that Camino and Safari and anyone else that allowed a remote user to create large text were affected. In this case, though, the code didn't bail out on a memory allocation error. Instead, it indicated memory allocation failures, then proceeded on its merry way. Apple has fixed this bug in their latest Safari patch (HT3733). A few toy test cases can be found here -- nothing fancy.

0 comments:
This page does not necessarily reflect the views of my employer or anyone I'm associated with.
redpig@dataspill.org