I'm disinclined to unilaterally assign a CVE here:
- ftgrid doesn't feel like it's useful beyond freetype developers -- try
it out for yourself on a font on your system. (For me, quite a lot of
the window space is filled with the previous contents of the screen, but
perhaps if you're not running a tiling window manager the window will be
the exact required size. What's left doesn't look like it's end-user or
even font-designer oriented.)
- I don't think the linked patches completely address the undefined
behavior due to signed integer overflows:
typedef struct grBitmap_
{
int rows;
int width;
int pitch;
grPixelMode mode;
int grays;
unsigned char* buffer;
} grBitmap;
static void
bitmap_scale( GridStatus st,
grBitmap* bit,
int scale )
{
unsigned char* s = bit->buffer;
unsigned char* line;
int pitch;
int width;
int i, j, k;
pitch = bit->pitch > 0 ? bit->pitch
: -bit->pitch;
width = bit->width;
/* limit bitmap size */
if ( pitch * scale <= 0xFFFF && bit->rows * scale <= 0xFFFF )
line = (unsigned char*)malloc( (size_t)( pitch * bit->rows *
scale * scale ) );
else
line = NULL;
What happens if pitch * scale or bit->rows * scale cause an integer overflow
and the compiler emits code that causes the result to become negative? Or the
compiler omits the code entirely, because signed integer overflow is undefined?
All these values are signed integers and I can't quickly spot code that would
limit these to suitable values.
I don't see any security value in debugging this demo program. If
upstream disagrees and thinks this deserves a CVE, I won't stand in
their way, but I also don't think assigning one here would encourage
them to care about the CVE process.
Fixing one specific integer overflow while ignoring two more on the
previous line doesn't feel productive.
If you, dear reader, actually care about this specific program, I
encourage a few steps to explore it further:
- build it with -fsanitize=undefined and fuzz it. I bet there's dozens more of
these errors.
- build it with -fsanitize=address and fuzz it. I bet there's a few more of
these errors.
- submit the project to scan.coverity.com. Unless Coverity is already part of
the workflow, it'll probably find dozens of flaws, some of which will represent
real bugs reachable by maliciously built fonts or operating users or other X
clients or the X server.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to freetype in Ubuntu.
https://bugs.launchpad.net/bugs/2059852
Title:
Invalid free called during libfreetype FT_Done_Glyph
Status in freetype package in Ubuntu:
New
Status in freetype source package in Jammy:
New
Bug description:
A fuzzed font file triggers an invalid free operation. Current
upstream 2.13 was not observed crashing with input.
==1793660== Memcheck, a memory error detector
==1793660== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1793660== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1793660== Command: ftgrid 12 ftgrid_invalid_free_shown_by_valgrind.ttf
==1793660==
==1793660== Argument 'size' of function malloc has a fishy (possibly
negative) value: -205496320
==1793660== at 0x4848899: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:412)
==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:580)
==1793660== by 0x10F09A: main (ftgrid.c:1818)
==1793660==
==1793660== Invalid free() / delete / delete¡¿ / realloc()
==1793660== at 0x484B27F: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x48C2EC3: UnknownInlinedFun (ftutil.c:173)
==1793660== by 0x48C2EC3: FT_Bitmap_Done (ftbitmap.c:1169)
==1793660== by 0x48C5947: FT_Done_Glyph (ftglyph.c:650)
==1793660== by 0x10F1A0: UnknownInlinedFun (ftgrid.c:589)
==1793660== by 0x10F1A0: main (ftgrid.c:1818)
==1793660== Address 0x5292040 is 0 bytes inside a block of size 58,519,576
free'd
==1793660== at 0x484B27F: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x10F18A: UnknownInlinedFun (ftgrid.c:586)
==1793660== by 0x10F18A: main (ftgrid.c:1818)
==1793660== Block was alloc'd at
==1793660== at 0x4848899: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x48BDB08: ft_mem_qrealloc (ftutil.c:145)
==1793660== by 0x48BF04D: ft_mem_realloc (ftutil.c:101)
==1793660== by 0x491815B: ft_smooth_render.lto_priv.0 (ftsmooth.c:475)
==1793660== by 0x48BD24C: FT_Render_Glyph_Internal (ftobjs.c:4721)
==1793660== by 0x48C8A2F: FT_Glyph_To_Bitmap (ftglyph.c:596)
==1793660== by 0x11A67E: FTDemo_Glyph_To_Bitmap (ftcommon.c:1365)
==1793660== by 0x10DCC1: UnknownInlinedFun (ftgrid.c:575)
==1793660== by 0x10DCC1: main (ftgrid.c:1818)
==1793660==
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at
./malloc/malloc.c:3368
3368 ./malloc/malloc.c: No such file or directory.
(gdb) bt
£0 0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at
./malloc/malloc.c:3368
£1 0x00007ffff7ebeec4 in ft_mem_free (P=<optimized out>, memory=<optimized
out>) at ./src/base/ftutil.c:173
£2 FT_Bitmap_Done (library=<optimized out>, bitmap=0x5555555a25e0) at
./src/base/ftbitmap.c:1169
£3 0x00007ffff7ec1948 in FT_Done_Glyph (glyph=0x5555555a25b0) at
./src/base/ftglyph.c:650
£4 0x000055555555b1a1 in grid_status_draw_outline (st=0x5555555703e0
<status>, display=<optimized out>, handle=<optimized out>)
at ./ft2demos/src/ftgrid.c:589
£5 main (argc=<optimized out>, argv=<optimized out>) at
./ft2demos/src/ftgrid.c:1818
$ apt-cache policy libfreetype6
libfreetype6:
Installed: 2.11.1+dfsg-1ubuntu0.2
Candidate: 2.11.1+dfsg-1ubuntu0.2
Version table:
*** 2.11.1+dfsg-1ubuntu0.2 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64
Packages
100 /var/lib/dpkg/status
2.11.1+dfsg-1build1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
Description: Ubuntu 22.04.3 LTS
Release: 22.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2059852/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
