Ubuntu
texlive-bin package

  1. Bug #2047912
  2. Comment #9

Comment 9 for bug 2047912

Revision history for this message
DongzhuoZhao (dongzhuo) wrote : Re: [Bug 2047912] Re: There is a heap buffer overflow in texlive-bin

Hello,I have reported this issue to TexLive and the maintenance team have
confirmed this issue and fixed it. they want me reuest CVE ID by myself.
And Iasrequest a CVE ID, but do not get answer for this moment. If you
could accelerate this requesting process, that would be great!

George-Andrei Iosif <email address hidden> 于2024年2月7日周三 16:29写道:

> I have marked this bug as public because the public domain already
> contains information about this TeX Live issue (as seen in the GitHub
> issue and upstream changelog).
>
> @dongzhuo, could you please contact the upstream (either in the existing
> PR or via their mailing list) to confirm that they (1) recognize this
> issue as a vulnerability impacting the security of their software (and
> not just a functional bug), and (2) do not have any other CVE ID
> assignment process already established? The latter is important because
> some projects prefer contacting MITRE for the assignment.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2047912
>
> Title:
> There is a heap buffer overflow in texlive-bin
>
> Status in texlive-bin package in Ubuntu:
> New
>
> Bug description:
> Hello,
> I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can
> install by apt-get texlive-binaries. I compile lastest texlive-source by
> clone https://github.com/TeX-Live/texlive-source/ on unbuntu for
> debugging.
> The overflow content and size are controlled by input. Exploiting
> this issue can achive any code excuted
>
> The steps for reproducing the vul on unbuntu:
> (1) sudo apt-get iunstall texlive-binaries
> (2) ttfdump -i poc.ttf
>
>
> The poc.ttf can view the attachment .ttfdump aborted and prompt
> "malloc(): corrupted top size" due memory corrupt.
>
> The issue exist in function ttfLoadHDMX :
>
> /*** function ttfLoadHDMX begin ***/
>
> static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
> {
> int i;
>
> xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
>
> hdmx->version = ttfGetUSHORT(fp);
> hdmx->numDevices = ttfGetUSHORT(fp);
> hdmx->size = ttfGetLONG(fp);
>
> hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
>
> for (i=0;i<hdmx->numDevices;i++)
> {
> hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
> hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
> hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE); (1)
> fread ((hdmx->Records+i)->Width, sizeof(BYTE),
> hdmx->numGlyphs+1,fp); (2)
> }
> }
>
>
> /*** function ttfLoadHDMX end ***/
>
>
> At above code (1) ,allocte heap buffer for Width according to the
> parsed hdmx width. And at above code (2) , copy Width content from file and
> copy size decided by controlled hdmx->numGlyphs. In the poc , hdmx->size
> eaqual to 1216 and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.
>
> /*** debug info ***/
> (gdb) p hdmx->numGlyphs+1
> $23 = 4155
> (gdb) p hdmx->size
> $24 = 1216
> /*** debug info end ***/
>
>
> From :
>
> Dongzhuo zhao working with ADLab of Venustech
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions
>
>