[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] details on iPhone exploit caused by FreeType?
|
From: |
Werner LEMBERG |
|
Subject: |
Re: [ft-devel] details on iPhone exploit caused by FreeType? |
|
Date: |
Fri, 08 Jul 2011 13:53:29 +0200 (CEST) |
> has anyone more information on the recent exploit for the iPhone,
> reportedly caused by a problem within FreeType's
> `t1_decoder_parse_charstrings'? Extracting the buggy font from
>
> http://www.jailbreakme.com/saffron/_/iPod_4.3.3_8J2.pdf
>
> and testing the current ftview (from the git repository, but rather
> the same as with version 2.4.5) with valgrind on my GNU/Linux box, I
> get a bunch of
>
> Conditional jump or move depends on uninitialised value(s)
>
> but nothing else (and I'll fix these problems in due course).
I've applied the fix below, rejecting negative arguments to
`callothersubr'. This corrects the valgrind errors. If you think
that this is a critical issue (this is, if the exploit is repeatable
with FreeType 2.4.5 and my patch fixes this), I'll release 2.4.6 as
soon as possible.
Please test and comment.
Werner
======================================================================
diff --git a/ChangeLog b/ChangeLog
index 25fb10c..c58d6bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2011-07-08 Werner Lemberg <address@hidden>
+
+ [psaux] Add better argument check for `callothersubr'.
+
+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+ <op_callothersubr>: Reject negative arguments.
+
2011-07-07 Werner Lemberg <address@hidden>
[sfnt] Try harder to find non-zero values for ascender and descender.
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index ea31c51..a60ec38 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -4,8 +4,7 @@
/* */
/* PostScript Type 1 decoding routines (body). */
/* */
-/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 */
-/* 2010 by */
+/* Copyright 2000-2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -687,6 +686,9 @@
subr_no = (FT_Int)( top[1] >> 16 );
arg_cnt = (FT_Int)( top[0] >> 16 );
+ if ( arg_cnt < 0 || subr_no < 0 )
+ goto Unexpected_OtherSubr;
+
/***********************************************************/
/* */
/* remove all operands to callothersubr from the stack */
- [ft-devel] details on iPhone exploit caused by FreeType?, Werner LEMBERG, 2011/07/08
- Re: [ft-devel] details on iPhone exploit caused by FreeType?,
Werner LEMBERG <=
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Алексей Подтележников, 2011/07/08
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Werner LEMBERG, 2011/07/09
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Алексей Подтележников, 2011/07/09
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Werner LEMBERG, 2011/07/09
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Алексей Подтележников, 2011/07/09
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Werner LEMBERG, 2011/07/10
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Алексей Подтележников, 2011/07/11
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Werner LEMBERG, 2011/07/11
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Алексей Подтележников, 2011/07/14
- Re: [ft-devel] details on iPhone exploit caused by FreeType?, Werner LEMBERG, 2011/07/14