[Desktop-packages] [Bug 2047912] Re: There is a heap buffer overflow in texlive-bin

Wed, 07 Feb 2024 00:17:03 -0800 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to texlive-bin in Ubuntu.
https://bugs.launchpad.net/bugs/2047912

Title:
  There is a heap buffer overflow in texlive-bin

Status in texlive-bin package in Ubuntu:
  New

Bug description:
  Hello,
    I found a heap-buffer overflow in function ttfLoadHDMX; ttfdump can install 
by apt-get texlive-binaries. I compile lastest texlive-source by clone 
https://github.com/TeX-Live/texlive-source/ on unbuntu for debugging.
    The overflow content and size are controlled by input. Exploiting  this 
issue can achive any code excuted

    The steps for reproducing the vul on unbuntu:
    (1) sudo apt-get iunstall texlive-binaries 
    (2) ttfdump -i poc.ttf 

  
  The poc.ttf can view the attachment .ttfdump aborted and prompt "malloc(): 
corrupted top size" due memory corrupt.

    The issue exist in function ttfLoadHDMX :

  /***    function ttfLoadHDMX begin   ***/

  static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
  {
      int i;

      xfseek(fp, offset, SEEK_SET, "ttfLoadHDMX");
      
      hdmx->version = ttfGetUSHORT(fp);
      hdmx->numDevices = ttfGetUSHORT(fp);
      hdmx->size = ttfGetLONG(fp);

      hdmx->Records = XCALLOC (hdmx->numDevices, DeviceRecord);
      
      for (i=0;i<hdmx->numDevices;i++)
        {
            hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
            hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
            hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE);  (1)
            fread ((hdmx->Records+i)->Width, sizeof(BYTE), 
hdmx->numGlyphs+1,fp); (2)
        }
  }

  
  /***    function ttfLoadHDMX end   ***/

  
    At above code (1) ,allocte heap buffer for Width according to the parsed 
hdmx width. And at above code (2) , copy Width content from file and copy size 
decided by controlled hdmx->numGlyphs. In the poc , hdmx->size eaqual to 1216 
and hdmx->numGlyphs+1 is 4155,which get heap buffer overflow.

  /*** debug info ***/
  (gdb) p hdmx->numGlyphs+1
  $23 = 4155
  (gdb) p hdmx->size
  $24 = 1216
  /*** debug info end ***/

  
  From :

  Dongzhuo zhao working with ADLab of Venustech

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to