Hi,
I found a Use After Free vulnerability (invalid write of size 8) in SFDGetBitmapChar() in fontforge/sfd.c, that causes fontforge (the latest commit 1604c74) to crash.
Command: ./fontforge -lang=ff -c 'Open($1)' PoC
ASAN says:
==12232==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00000b500 at pc 0x7fb77c416600 bp 0x7fff10a3fd50 sp 0x7fff10a3fd40
WRITE of size 8 at 0x61e00000b500 thread T0
#0 0x7fb77c4165ff in SFDGetBitmapChar /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:6107
#1 0x7fb77c42d4c2 in SFDGetBitmapFont /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:6247
#2 0x7fb77c444357 in SFD_GetFont /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:9005
#3 0x7fb77c44986b in SFD_Read /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:9088
#4 0x7fb77c496135 in _ReadSplineFont /home/dungnguyen/fuzz/fontforge/fontforge/splinefont.c:1179
#5 0x7fb77c496e70 in LoadSplineFont /home/dungnguyen/fuzz/fontforge/fontforge/splinefont.c:1380
#6 0x7fb77c3b21ff in bOpen /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:1909
#7 0x7fb77c3b83d2 in docall /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:9751
#8 0x7fb77c3b9009 in handlename /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:9864
#9 0x7fb77c3bc547 in term /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10102
#10 0x7fb77c3bcdad in mul /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10247
#11 0x7fb77c3bd264 in add /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10293
#12 0x7fb77c3bdadf in comp /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10368
#13 0x7fb77c3be0fa in _and /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10412
#14 0x7fb77c3be57e in _or /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10444
#15 0x7fb77c3be57e in assign /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10477
#16 0x7fb77c3b63ac in expr /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10555
#17 0x7fb77c3b63ac in ff_statement /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10768
#18 0x7fb77c3bf8b6 in ProcessNativeScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10915
#19 0x7fb77c3c0a72 in _CheckIsScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:11009
#20 0x7fb77c3c0a72 in CheckIsScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:11046
#21 0x78d6d2 in fontforge_main /home/dungnguyen/fuzz/fontforge/fontforgeexe/startui.c:1098
#22 0x7fb779fba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#23 0x423168 in _start (/home/dungnguyen/PoCs/fontforge_1604c74/fontforge_asan+0x423168)
0x61e00000b500 is located 128 bytes inside of 2880-byte region [0x61e00000b480,0x61e00000bfc0)
freed by thread T0 here:
#0 0x7fb77cfec32a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
#1 0x7fb77c5a7f6d in AssignPointsToStems /home/dungnguyen/fuzz/fontforge/fontforge/stemdb.c:4872
#2 0x7fb77c5ab353 in StemInfoToStemData /home/dungnguyen/fuzz/fontforge/fontforge/stemdb.c:4943
#3 0x7fb77c052907 in SCGuessHintInstancesList /home/dungnguyen/fuzz/fontforge/fontforge/autohint.c:1617
#4 0x7fb77c434d19 in SFDGetChar /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:6008
#5 0x7fb77c444d78 in SFD_GetFont /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:8995
#6 0x7fb77c44986b in SFD_Read /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:9088
#7 0x7fb77c496135 in _ReadSplineFont /home/dungnguyen/fuzz/fontforge/fontforge/splinefont.c:1179
#8 0x7fb77c496e70 in LoadSplineFont /home/dungnguyen/fuzz/fontforge/fontforge/splinefont.c:1380
#9 0x7fb77c3b21ff in bOpen /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:1909
#10 0x7fb77c3b83d2 in docall /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:9751
#11 0x7fb77c3b9009 in handlename /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:9864
#12 0x7fb77c3bc547 in term /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10102
#13 0x7fb77c3bcdad in mul /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10247
#14 0x7fb77c3bd264 in add /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10293
#15 0x7fb77c3bdadf in comp /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10368
#16 0x7fb77c3be0fa in _and /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10412
#17 0x7fb77c3be57e in _or /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10444
#18 0x7fb77c3be57e in assign /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10477
#19 0x7fb77c3b63ac in expr /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10555
#20 0x7fb77c3b63ac in ff_statement /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10768
#21 0x7fb77c3bf8b6 in ProcessNativeScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10915
#22 0x7fb77c3c0a72 in _CheckIsScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:11009
#23 0x7fb77c3c0a72 in CheckIsScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:11046
#24 0x78d6d2 in fontforge_main /home/dungnguyen/fuzz/fontforge/fontforgeexe/startui.c:1098
#25 0x7fb779fba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7fb77cfec662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x7fb77c5a7c9a in AssignPointsToStems /home/dungnguyen/fuzz/fontforge/fontforge/stemdb.c:4851
#2 0x7fb77c5ab353 in StemInfoToStemData /home/dungnguyen/fuzz/fontforge/fontforge/stemdb.c:4943
#3 0x7fb77c052907 in SCGuessHintInstancesList /home/dungnguyen/fuzz/fontforge/fontforge/autohint.c:1617
#4 0x7fb77c434d19 in SFDGetChar /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:6008
#5 0x7fb77c444d78 in SFD_GetFont /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:8995
#6 0x7fb77c44986b in SFD_Read /home/dungnguyen/fuzz/fontforge/fontforge/sfd.c:9088
#7 0x7fb77c496135 in _ReadSplineFont /home/dungnguyen/fuzz/fontforge/fontforge/splinefont.c:1179
#8 0x7fb77c496e70 in LoadSplineFont /home/dungnguyen/fuzz/fontforge/fontforge/splinefont.c:1380
#9 0x7fb77c3b21ff in bOpen /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:1909
#10 0x7fb77c3b83d2 in docall /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:9751
#11 0x7fb77c3b9009 in handlename /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:9864
#12 0x7fb77c3bc547 in term /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10102
#13 0x7fb77c3bcdad in mul /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10247
#14 0x7fb77c3bd264 in add /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10293
#15 0x7fb77c3bdadf in comp /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10368
#16 0x7fb77c3be0fa in _and /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10412
#17 0x7fb77c3be57e in _or /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10444
#18 0x7fb77c3be57e in assign /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10477
#19 0x7fb77c3b63ac in expr /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10555
#20 0x7fb77c3b63ac in ff_statement /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10768
#21 0x7fb77c3bf8b6 in ProcessNativeScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:10915
#22 0x7fb77c3c0a72 in _CheckIsScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:11009
#23 0x7fb77c3c0a72 in CheckIsScript /home/dungnguyen/fuzz/fontforge/fontforge/scripting.c:11046
#24 0x78d6d2 in fontforge_main /home/dungnguyen/fuzz/fontforge/fontforgeexe/startui.c:1098
#25 0x7fb779fba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Best,
MD
Hi,
I found a Use After Free vulnerability (invalid write of size 8) in SFDGetBitmapChar() in fontforge/sfd.c, that causes fontforge (the latest commit 1604c74) to crash.
Command: ./fontforge -lang=ff -c 'Open($1)' PoC
ASAN says:
Best,
MD