Ubuntu
texlive-bin package

Bug #2047912
Comment #7

Comment 7 for bug 2047912

Revision history for this message

DongzhuoZhao (dongzhuo) wrote on 2024-02-02: Re: [Bug 2047912] Re: There is a heap buffer overflow in texlive-bin

Hello!
This didn't have assigned a CVE Number. May I please you apply a CVE number
for this ?
Thank you!

Eduardo Barretto <email address hidden> 于2024年2月2日周五 16:26写道：

> Thanks for sharing the links!
> Was this issue assigned a CVE?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
> There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
> New
>
> Bug description:
> Hello,
> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
> The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
> The steps for reproducing the vul on unbuntu:
> (1) sudo apt-get iunstall texlive-binaries
> (2) ttfdump -i poc.ttf
>
>
> The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
> The issue exist in function ttfLoadHDMX :
>
> /*** function ttfLoadHDMX begin ***/
>
> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
> {
> int i;
>
> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
> hdmx->version = ttfGetUSHORT(fp);
> hdmx->numDevices = ttfGetUSHORT(fp);
> hdmx->size = ttfGetLONG(fp);
>
> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
> for (i=0;i<hdmx->numDevices;i++)
> {
> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
> }
> }
>
>
> /*** function ttfLoadHDMX end ***/
>
>
> At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
> /*** debug info ***/
> (gdb) p hdmx->numGlyphs+1
> $23 = 4155
> (gdb) p hdmx->size
> $24 = 1216
> /*** debug info end ***/
>
>
> From :
>
> Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>
>

Hello!
This didn't have assigned a CVE Number. May I please you apply a CVE number
for this ?
Thank you!

Eduardo Barretto <2047912@bugs.launchpad.net> 于2024年2月2日周五 16:26写道：

> Thanks for sharing the links!
> Was this issue assigned a CVE?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
>   There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
>   New
>
> Bug description:
>   Hello,
>     I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
>     The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
>     The steps for reproducing the vul on unbuntu:
>     (1) sudo apt-get iunstall texlive-binaries
>     (2) ttfdump -i poc.ttf
>
>
>   The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
>     The issue exist in function ttfLoadHDMX :
>
>   /***    function ttfLoadHDMX begin   ***/
>
>   static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
>   {
>       int i;
>
>       xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
>       hdmx->version = ttfGetUSHORT(fp);
>       hdmx->numDevices = ttfGetUSHORT(fp);
>       hdmx->size = ttfGetLONG(fp);
>
>       hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
>       for (i=0;i<hdmx->numDevices;i++)
>         {
>             hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
>             hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
>             hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE);  (1)
>             fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
>         }
>   }
>
>
>   /***    function ttfLoadHDMX end   ***/
>
>
>     At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
>   /*** debug info ***/
>   (gdb) p hdmx->numGlyphs+1
>   $23 = 4155
>   (gdb) p hdmx->size
>   $24 = 1216
>   /*** debug info end ***/
>
>
>   From :
>
>   Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>
>

Ubuntutexlive-bin package

Comment 7 for bug 2047912

Ubuntu
texlive-bin package