Menu

#41 ZDI-CAN-28563: New Vulnerability Report

Unstable (example)
open
nobody
None
5
2025-12-12
2025-12-12
Zero Day Initiative
No

ZDI-CAN-28563: FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
FontForge - FontForge

-- VULNERABILITY DETAILS ------------------------
* Version tested:aca4f524c6cb14cdc7bc4cd493492a33f5154797
* Platform tested:ubuntu 24.04

Analysis

array index OOB access vulnerability exists within the FontForge's SFD_GetFontMetaData() function.
The corruption will be triggered when victim open the malicious sfd file with the fontforge application.

bool SFD_GetFontMetaData( FILE *sfd,
                          char *tok,
                          SplineFont *sf,
                          SFD_GetFontMetaDataData* d )
{
...
        kc->firsts = calloc(kc->first_cnt,sizeof(char *));                              // buffer
        kc->seconds = calloc(kc->second_cnt,sizeof(char *));
        kc->offsets = calloc(kc->first_cnt*kc->second_cnt,sizeof(int16_t));
        kc->adjusts = calloc(kc->first_cnt*kc->second_cnt,sizeof(DeviceTable));
        if (kernclassversion >= 3) {
          kc->firsts_flags = calloc(kc->first_cnt, sizeof(int));
          kc->seconds_flags = calloc(kc->second_cnt, sizeof(int));
          kc->offsets_flags = calloc(kc->first_cnt*kc->second_cnt, sizeof(int));
          kc->firsts_names = calloc(kc->first_cnt, sizeof(char*));
          kc->seconds_names = calloc(kc->second_cnt, sizeof(char*));
        }
        for ( i=classstart; i<kc->first_cnt; ++i ) {
          if (kernclassversion < 3) {
            getint(sfd,&temp);                                                          // input
            kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';                 // array index OOB write
            nlgetc(sfd);        /* skip space */
            fread(kc->firsts[i],1,temp,sfd);
          } else {
            getint(sfd,&kc->firsts_flags[i]);
            while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\n' || ch == EOF) continue;
            kc->firsts_names[i] = SFDReadUTF7Str(sfd);
            while ((ch=nlgetc(sfd)) == ' '); ungetc(ch, sfd); if (ch == '\n' || ch == EOF) continue;
            kc->firsts[i] = SFDReadUTF7Str(sfd);
            if (kc->firsts[i] == NULL) kc->firsts[i] = copy(""); // In certain places, this must be defined.
            while ((ch=nlgetc(sfd)) == ' ' || ch == '\n'); ungetc(ch, sfd);
          }
        }
...

ASAN report

=================================================================
==13734==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50200012a8cf at pc 0x725819ad049d bp 0x7ffe89c724b0 sp 0x7ffe89c724a0
WRITE of size 1 at 0x50200012a8cf thread T0
    #0 0x725819ad049c in SFD_GetFontMetaData /home/wmliang/fontforge/fontforge/sfd.c:8268
    #1 0x725819ad4234 in SFD_GetFont /home/wmliang/fontforge/fontforge/sfd.c:8497
    #2 0x725819ada408 in SFD_Read /home/wmliang/fontforge/fontforge/sfd.c:9078
    #3 0x725819b2d525 in _ReadSplineFont /home/wmliang/fontforge/fontforge/splinefont.c:1226
    #4 0x725819b2ddf0 in LoadSplineFont /home/wmliang/fontforge/fontforge/splinefont.c:1420
    #5 0x72581978756f in ViewPostScriptFont /home/wmliang/fontforge/fontforge/fontviewbase.c:1386
    #6 0x5daf4be81c9f in fontforge_main /home/wmliang/fontforge/fontforgeexe/startui.c:992
    #7 0x725816c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x725816c2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x5daf4b9d3054 in _start (/home/wmliang/fontforge/build/bin/fontforge+0x180054) (BuildId: 45c09de68bbe576c3dd1339975fca7d8df397ad1)

0x50200012a8cf is located 1 bytes before 1-byte region [0x50200012a8d0,0x50200012a8d1)
allocated by thread T0 here:
    #0 0x72581a4fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x725819ad0259 in SFD_GetFontMetaData /home/wmliang/fontforge/fontforge/sfd.c:8268

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wmliang/fontforge/fontforge/sfd.c:8268 in SFD_GetFontMetaData
Shadow bytes around the buggy address:
  0x50200012a600: fa fa 05 fa fa fa 00 02 fa fa 00 02 fa fa 07 fa
  0x50200012a680: fa fa 02 fa fa fa 02 fa fa fa 01 fa fa fa 04 fa
  0x50200012a700: fa fa 02 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x50200012a780: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x50200012a800: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
=>0x50200012a880: fa fa 02 fa fa fa 01 fa fa[fa]01 fa fa fa fa fa
  0x50200012a900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50200012a980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50200012aa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50200012aa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50200012ab00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13734==ABORTING

-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Anonymous working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

1 Attachments
ZDI-CAN-28563.zip

Discussion

Log in to post a comment.