Bug 1574844
Summary: | Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | chenyuan <bugzilla> | ||||
Component: | libgxps | Assignee: | Marek Kašík <mkasik> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5 | CC: | carnil, jkoten, tpelka | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libgxps-0.3.0-2.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 10:26:16 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Has this issue been reported upstream? FTR, this issue was assigned CVE-2018-10733. I contacted Carlos Garcia Campos, and he replies: I've just fixed it, see: https://git.gnome.org/browse/libgxps/commit/?id=b458226e162fe1ffe7acb4230c114a52ada5131b https://git.gnome.org/browse/libgxps/commit/?id=133fe2a96e020d4ca65c6f64fb28a404050ebbfd Now it fails instead of crashing. Thank you also for this report. The patches fixes the crash for me. I'm giving this devel_ack+. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3140 |
Created attachment 1431033 [details] POC Description of problem: Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c Version-Release number of selected component (if applicable): <= 0.3.0 How reproducible: $ ./xpstojpeg POC.xps /dev/null ASAN output information: ================================================================= ==27116==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff8d7f45fc4 at pc 0x5565d0bf1b6c bp 0x7fffc5647710 sp 0x7fffc5647700 READ of size 1 at 0x7ff8d7f45fc4 thread T0 #0 0x5565d0bf1b6b in ft_font_face_hash /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:88 #1 0x7ff8e2820883 in g_hash_table_lookup (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a883) #2 0x5565d0bf2994 in gxps_fonts_new_font_face /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:243 #3 0x5565d0bf2d8c in gxps_fonts_get_font /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:298 #4 0x5565d0bcfd89 in render_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:841 #5 0x5565d0bcb001 in canvas_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:363 #6 0x7ff8e28357d1 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1) #7 0x7ff8e2836721 in g_markup_parse_context_parse (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50721) #8 0x5565d0bd7dcb in gxps_parse_stream /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-parse-utils.c:184 #9 0x5565d0bd11a6 in gxps_page_parse_for_rendering /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:992 #10 0x5565d0bd63f1 in gxps_page_render /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:1694 #11 0x5565d0bbf225 in gxps_converter_run /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter.c:322 #12 0x5565d0bbb192 in main /home/v-fuzz/libgxps-0.2.5/tools/gxps-converter-main.c:42 #13 0x7ff8e0f24b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #14 0x5565d0bbb029 in _start (/home/v-fuzz/libgxps-0.2.5/tools/xpstopng+0x14029) 0x7ff8d7f45fc4 is located 0 bytes to the right of 186308-byte region [0x7ff8d7f18800,0x7ff8d7f45fc4) allocated by thread T0 here: #0 0x7ff8e3480b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7ff8e2837858 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51858) #2 0x5565d0bf288a in gxps_fonts_new_font_face /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:227 #3 0x5565d0bf2d8c in gxps_fonts_get_font /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:298 #4 0x5565d0bcfd89 in render_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:841 #5 0x5565d0bcb001 in canvas_end_element /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-page.c:363 #6 0x7ff8e28357d1 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1) #7 0x61d0000139bf (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/v-fuzz/libgxps-0.2.5/libgxps/gxps-fonts.c:88 in ft_font_face_hash Shadow bytes around the buggy address: 0x0fff9afe0ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fff9afe0bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fff9afe0bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fff9afe0bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fff9afe0be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fff9afe0bf0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa 0x0fff9afe0c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fff9afe0c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fff9afe0c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fff9afe0c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fff9afe0c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27116==ABORTING This vulnerability was triggered in ft_font_face_hash() at libgxps/gxps-fonts.c:88 79 static guint 80 ft_font_face_hash (gconstpointer v) 81 { 82 FtFontFace *ft_face = (FtFontFace *)v; 83 guchar *bytes = ft_face->font_data; 84 gssize len = ft_face->font_data_len; 85 guint hash = 5381; 86 87 while (len--) { 88 guchar c = *bytes++; 89 90 hash *= 33; 91 hash ^= c; 92 } 93 94 return hash; 95 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom fuzzer v-fuzz. Please contact liyuwei23 and chenyuan.cn if you need more info about the team, the tool or the vulnerability.