Menu

#40 ZDI-CAN-28564: New Vulnerability Report

Unstable (example)
open
nobody
None
5
2025-12-12
2025-12-12
Zero Day Initiative
No

ZDI-CAN-28564: FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
FontForge - FontForge

-- VULNERABILITY DETAILS ------------------------
* Version tested:aca4f524c6cb14cdc7bc4cd493492a33f5154797
* Platform tested:ubuntu 24.04

Analysis

use-after-free vulnerability exists within the FontForge's PSTFree() function.
It leads to memory corruption on PST object.
The use-after-free will be triggered when victim open the malicious sfd file with the fontforge application.

void PSTFree(PST *pst) {
    PST *pnext;
    for ( ; pst!=NULL; pst = pnext ) {
        pnext = pst->next;                      // UAF here
        if ( pst->type==pst_lcaret )
            free(pst->u.lcaret.carets);
        else if ( pst->type==pst_pair ) {
            free(pst->u.pair.paired);
            ValDevFree(pst->u.pair.vr[0].adjust);
            ValDevFree(pst->u.pair.vr[1].adjust);
            chunkfree(pst->u.pair.vr,sizeof(struct vr [2]));
        } else if ( pst->type!=pst_position ) {
            free(pst->u.subs.variant);
        } else if ( pst->type==pst_position ) {
            ValDevFree(pst->u.pos.adjust);
        }
        chunkfree(pst,sizeof(PST));             // PST object is freed here
    }
}

ASAN report

=================================================================
==13653==ERROR: AddressSanitizer: heap-use-after-free on address 0x5060001c7850 at pc 0x71cde8bee06e bp 0x7ffc069ea8d0 sp 0x7ffc069ea8c0
READ of size 8 at 0x5060001c7850 thread T0
    #0 0x71cde8bee06d in PSTFree /home/wmliang/fontforge/fontforge/splineutil.c:5535
    #1 0x71cde8bf5f13 in SplineCharFreeContents /home/wmliang/fontforge/fontforge/splineutil.c:5991
    #2 0x71cde8bf6171 in SplineCharFree /home/wmliang/fontforge/fontforge/splineutil.c:6008
    #3 0x71cde8bf6171 in SplineCharFree /home/wmliang/fontforge/fontforge/splineutil.c:6004
    #4 0x71cde8abf997 in SFDGetChar /home/wmliang/fontforge/fontforge/sfd.c:5269
    #5 0x71cde8ad5559 in SFD_GetFont /home/wmliang/fontforge/fontforge/sfd.c:8983
    #6 0x71cde8ada408 in SFD_Read /home/wmliang/fontforge/fontforge/sfd.c:9078
    #7 0x71cde8b2d525 in _ReadSplineFont /home/wmliang/fontforge/fontforge/splinefont.c:1226
    #8 0x71cde8b2ddf0 in LoadSplineFont /home/wmliang/fontforge/fontforge/splinefont.c:1420
    #9 0x71cde878756f in ViewPostScriptFont /home/wmliang/fontforge/fontforge/fontviewbase.c:1386
    #10 0x5faa110a9c9f in fontforge_main /home/wmliang/fontforge/fontforgeexe/startui.c:992
    #11 0x71cde5c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x71cde5c2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x5faa10bfb054 in _start (/home/wmliang/fontforge/build/bin/fontforge+0x180054) (BuildId: 45c09de68bbe576c3dd1339975fca7d8df397ad1)

0x5060001c7850 is located 16 bytes inside of 56-byte region [0x5060001c7840,0x5060001c7878)
freed by thread T0 here:
    #0 0x71cde94fc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x71cde8bedef8 in PSTFree /home/wmliang/fontforge/fontforge/splineutil.c:5548

previously allocated by thread T0 here:
    #0 0x71cde94fd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x71cde8a95d66 in LigaCreateFromOldStyleMultiple /home/wmliang/fontforge/fontforge/sfd.c:4714

SUMMARY: AddressSanitizer: heap-use-after-free /home/wmliang/fontforge/fontforge/splineutil.c:5535 in PSTFree
Shadow bytes around the buggy address:
  0x5060001c7580: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x5060001c7600: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x5060001c7680: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x5060001c7700: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x5060001c7780: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x5060001c7800: fd fd fd fa fa fa fa fa fd fd[fd]fd fd fd fd fa
  0x5060001c7880: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x5060001c7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5060001c7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5060001c7a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5060001c7a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13653==ABORTING

-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Anonymous working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

1 Attachments
ZDI-CAN-28564.zip

Discussion

Log in to post a comment.