There is a heap buffer overflow in texlive-bin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
texlive-bin (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can install by apt-get texlive-binaries. I compile lastest texlive-source by clone https:/
The overflow content and size are controlled by input. Exploiting this issue can achive any code excuted
The steps for reproducing the vul on unbuntu:
(1) sudo apt-get iunstall texlive-binaries
(2) ttfdump -i poc.ttf
The poc.ttf can view the attachment .ttfdump aborted and prompt "malloc(): corrupted top size" due memory corrupt.
The issue exist in function ttfLoadHDMX :
/*** function ttfLoadHDMX begin ***/
static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
{
int i;
xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
hdmx->version = ttfGetUSHORT(fp);
hdmx-
hdmx->size = ttfGetLONG(fp);
hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
for (i=0;i<
{
hdmx-
hdmx-
hdmx-
fread ((hdmx-
}
}
/*** function ttfLoadHDMX end ***/
At above code (1) ,allocte heap buffer for Width according to the parsed hdmx width. And at above code (2) , copy Width content from file and copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
/*** debug info ***/
(gdb) p hdmx->numGlyphs+1
$23 = 4155
(gdb) p hdmx->size
$24 = 1216
/*** debug info end ***/
From :
Dongzhuo zhao working with ADLab of Venustech
CVE References
information type: | Private Security → Public Security |
Thanks for reporting this issue. Have you notified the texlive developer so that they can work on a fix? If not, please file a bug with them. Once they have developed a fix, we can include it in Ubuntu. Thanks!