Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3743 to the following vulnerability: Off-by-one error in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3743 [2] http://www.kb.cert.org/vuls/id/JALR-87YGN8 [3] http://www.kb.cert.org/vuls/id/644319 Upstream bug report: [4] http://bugs.ghostscript.com/show_bug.cgi?id=691044 Upstream changeset: [5] http://code.google.com/p/ghostscript/source/detail?r=10602
(In reply to comment #0) > Off-by-one error in the TrueType bytecode interpreter in Ghostscript While this may possibly allow off-by-one over-read, the more important issue is an integer underflow leading to memory corruption. Upstream patch fixes Ins_MINDEX() to skip standard processing when 0 is passed as an argument (L) to the function. Skipped code is: K = CUR.stack[CUR.args - L]; memmove( (&CUR.stack[CUR.args - L ]), (&CUR.stack[CUR.args - L + 1]), (L - 1) * sizeof ( Long ) ); CUR.stack[ CUR.args-1 ] = K; When L==0, memmove() is called with the third argument being (-1)*sizeof(long), which is close to SIZE_MAX or address space limit of the architecture. Hence program will try to move all its memory, which leads to crash before that memmove() call finishes. Memory corruption is under very limited control of an attacker, making it more difficult to reliably exploit for code execution.
Toucan System advisory: [1] http://www.toucan-system.com/advisories/tssa-2010-01.txt
Created ghostscript tracking bugs for this issue Affects: fedora-all [bug 755929]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html