Bug 1574844

Summary: Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c
Product: Red Hat Enterprise Linux 7 Reporter: chenyuan <bugzilla>
Component: libgxpsAssignee: Marek Kašík <mkasik>
Status: CLOSED ERRATA QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: carnil, jkoten, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libgxps-0.3.0-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:26:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
POC none

Description chenyuan 2018-05-04 07:14:07 UTC 
Created attachment 1431033 [details]
POC

Description of problem:

Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c

Version-Release number of selected component (if applicable):

<= 0.3.0

How reproducible:

$ ./xpstojpeg  POC.xps  /dev/null 

ASAN output information:
=================================================================
==27116==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff8d7f45fc4 at pc 0x5565d0bf1b6c bp 0x7fffc5647710 sp 0x7fffc5647700
READ of size 1 at 0x7ff8d7f45fc4 thread T0
    #0 0x5565d0bf1b6b in ft_font_face_hash /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:88
    #1 0x7ff8e2820883 in g_hash_table_lookup (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a883)
    #2 0x5565d0bf2994 in gxps_fonts_new_font_face /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:243
    #3 0x5565d0bf2d8c in gxps_fonts_get_font /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:298
    #4 0x5565d0bcfd89 in render_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:841
    #5 0x5565d0bcb001 in canvas_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:363
    #6 0x7ff8e28357d1  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
    #7 0x7ff8e2836721 in g_markup_parse_context_parse (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50721)
    #8 0x5565d0bd7dcb in gxps_parse_stream /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-parse-utils.c:184
    #9 0x5565d0bd11a6 in gxps_page_parse_for_rendering /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:992
    #10 0x5565d0bd63f1 in gxps_page_render /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:1694
    #11 0x5565d0bbf225 in gxps_converter_run /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter.c:322
    #12 0x5565d0bbb192 in main /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter-main.c:42
    #13 0x7ff8e0f24b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x5565d0bbb029 in _start (/home/v-fuzz/libgxps-0.2.5/tools/xpstopng+0x14029)

0x7ff8d7f45fc4 is located 0 bytes to the right of 186308-byte region [0x7ff8d7f18800,0x7ff8d7f45fc4)
allocated by thread T0 here:
    #0 0x7ff8e3480b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7ff8e2837858 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51858)
    #2 0x5565d0bf288a in gxps_fonts_new_font_face /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:227
    #3 0x5565d0bf2d8c in gxps_fonts_get_font /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:298
    #4 0x5565d0bcfd89 in render_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:841
    #5 0x5565d0bcb001 in canvas_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:363
    #6 0x7ff8e28357d1  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
    #7 0x61d0000139bf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:88 in ft_font_face_hash
Shadow bytes around the buggy address:
  0x0fff9afe0ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff9afe0bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff9afe0bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff9afe0bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff9afe0be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff9afe0bf0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
  0x0fff9afe0c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff9afe0c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff9afe0c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff9afe0c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff9afe0c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27116==ABORTING

This vulnerability was triggered in ft_font_face_hash() at libgxps/gxps-fonts.c:88

79 static guint
80 ft_font_face_hash (gconstpointer v)
81 {
82 	FtFontFace *ft_face = (FtFontFace *)v;
83 	guchar     *bytes = ft_face->font_data;
84 	gssize      len = ft_face->font_data_len;
85 	guint       hash = 5381;
86 
87 	while (len--) {
88 		guchar c = *bytes++;
89 
90 		hash *= 33;
91 		hash ^= c;
92 	}
93 
94 	return hash;
95 }

Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom fuzzer v-fuzz. Please contact  liyuwei23  and chenyuan.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Salvatore Bonaccorso 2018-05-05 06:28:27 UTC 
Has this issue been reported upstream?
Comment 3 Salvatore Bonaccorso 2018-05-05 06:29:00 UTC 
FTR, this issue was assigned CVE-2018-10733.
Comment 4 chenyuan 2018-05-06 08:54:26 UTC 
I contacted Carlos Garcia Campos, and he replies:

I've just fixed it, see:
 
https://git.gnome.org/browse/libgxps/commit/?id=b458226e162fe1ffe7acb4230c114a52ada5131b

https://git.gnome.org/browse/libgxps/commit/?id=133fe2a96e020d4ca65c6f64fb28a404050ebbfd
 
Now it fails instead of crashing.
Comment 5 Marek Kašík 2018-05-07 16:01:14 UTC 
Thank you also for this report. The patches fixes the crash for me. I'm giving this devel_ack+.
Comment 9 errata-xmlrpc 2018-10-30 10:26:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3140