Pango

Heap corruption in font parsing with FreeType2 backend

Bug #696616 reported by Dan Rosenberg on 2011-01-02

258

This bug affects 1 person

	Status	Importance	Assigned to
Pango	Fix Released	Medium	gnome-bugs #639882
pango1.0 (Debian)	Fix Released	Unknown	debbugs #610792
pango1.0 (Ubuntu)	Fix Released	Medium	Martin Pitt
Maverick	Fix Released	Undecided	Unassigned
Natty	Fix Released	Medium	Martin Pitt

Bug Description

When used with FreeType2 as a backend, Pango is vulnerable to heap corruption when rendering malformed fonts. The vulnerability occurs in pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is written at offsets into this buffer without checking that these offsets fall within the buffer's boundaries, leading to heap corruption.

I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3).

I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf") that can be used to reproduce this corruption as follows, using the test-mixed.txt file included in the pango-view directory of the source tree (also attached):

# cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf.bak
# cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# pango-view --backend=ft2 --font=FreeSerif test-mixed.txt
*** glibc detected *** pango-view: malloc(): memory corruption: 0x000000000116cfa0 ***
======= Backtrace: =========
...

See original description

Related branches

lp://staging/debian/pango1.0

lp://staging/ubuntu/karmic-security/pango1.0

lp://staging/ubuntu/hardy-security/pango1.0

lp://staging/ubuntu/maverick-security/pango1.0

lp://staging/ubuntu/lucid-security/pango1.0

lp://staging/ubuntu/natty/pango1.0

lp://staging/debian/squeeze/ia32-libs-gtk

CVE References

Revision history for this message

Dan Rosenberg (dan-j-rosenberg) wrote on 2011-01-02:

Malformed font file causes heap corruption Edit (1.2 MiB, application/octet-stream)

Revision history for this message

Dan Rosenberg (dan-j-rosenberg) wrote on 2011-01-02:

Sample text file to trigger crash Edit (249 bytes, text/plain)

Marc Deslauriers (mdeslaur) on 2011-01-12

Changed in pango1.0 (Ubuntu):
assignee:	nobody → Kees Cook (kees)

Dan Rosenberg (dan-j-rosenberg) on 2011-01-18

description:	updated
visibility:	private → public

Kees Cook (kees) on 2011-01-18

Changed in pango1.0 (Ubuntu):
assignee:	Kees Cook (kees) → nobody
status:	New → Confirmed
importance:	Undecided → Low

Sebastien Bacher (seb128) on 2011-01-18

Changed in pango1.0 (Ubuntu):
status:	Confirmed → Triaged

Bug Watch Updater (bug-watch-updater) on 2011-01-21

Changed in pango:
importance:	Unknown → Medium
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2011-01-22

Changed in pango1.0 (Debian):
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2011-01-25

Changed in pango1.0 (Debian):
status:	New → Fix Released

Sebastien Bacher (seb128) on 2011-02-08

Changed in pango1.0 (Ubuntu):
status:	Triaged → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2011-02-18

Changed in pango:
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-02:

This bug was fixed in the package pango1.0 - 1.28.2-0ubuntu1.1

---------------
pango1.0 (1.28.2-0ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    crafted font file (LP: #696616)
    - debian/patches/20_CVE-2011-0020.patch: check for overflow in
      pango/pangoft2-render.c.
    - CVE-2011-0020
  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked realloc failures
    - debian/patches/21_CVE-2011-0064.patch: check for realloc failures in
      pango/opentype/hb-buffer.*, pango/opentype/hb-buffer-private.h.
    - CVE-2011-0064
-- Marc Deslauriers <email address hidden> Tue, 01 Mar 2011 09:35:52 -0500

Changed in pango1.0 (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2011-03-10:

This was fixed forMaverick, but natty is still vulnerable.

Changed in pango1.0 (Ubuntu Maverick):
status:	New → Fix Released
Changed in pango1.0 (Ubuntu Natty):
assignee:	nobody → Martin Pitt (pitti)
importance:	Low → Medium
status:	Fix Released → In Progress
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-10:

This bug was fixed in the package pango1.0 - 1.28.3-4ubuntu1

---------------
pango1.0 (1.28.3-4ubuntu1) natty; urgency=low

  * Merge changes from 1.28.3-1+squeeze1:
    - 01_CVE-2011-0020.patch: patch from Behdad Esfahbod to fix heap
      corruption. Closes: #610792, CVE-2011-0020. LP: #696616.
  * Merge changes from 1.28.3-2~sid1:
    - 02_CVE-2011-0064.patch: patch from Behdad Esfahbod and Karl Tomlinson to
      fix buffer overwrite on OOM realloc failure. CVE-2011-0064, Mozilla
      #606997.
  * Add 00git_gi_annotations.patch: Cherrypick GI annotation fixes from
    upstream trunk.
  * debian/rules: Remove upstream shipped pango/*.gir to force their
    regeneration during package build.
-- Martin Pitt <email address hidden> Thu, 10 Mar 2011 11:34:30 +0100

Changed in pango1.0 (Ubuntu Natty):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

debbugs #610792
[done grave security squeeze-ignore] Edit
gnome-bugs #639882
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.