Talos Vulnerability Report

TALOS-2016-0058

Libgraphite directrun Opcode Handling Code Execution Vulnerability

February 5, 2016

Report ID

CVE-2016-1521

Description

An exploitable out-of-bounds read vulnerability exists in the opcode handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds read resulting in arbitrary code execution. An attacker can provide a malicious font to trigger this vulnerability.

Tested Versions

Libgraphite 2-1.2.4

Product URLs

http://sourceforge.net/projects/silgraphite/files/graphite2/

Details

If a malicious font is provided, an out of bounds read can occur while interpreting the opcodes in a font.

The problem occurs when executing the various opcodes in the function directrun in the file directmachine.cpp. At line 85, the interpreter for the opcodes will be executed by performing a goto instruction.

goto **ip;

If the opcode in particular is a cntxt_item, then ip variable will be advanced by iskip bytes to find the next opcode and continue interpreting the opcodes. This is done at line 369 of opcodes.h.

ip += iskip;

However there are no checks to ensure that ip remains within the bounds of the memory allocated for the memory to be interpreted (the program variable). In the case of the malicious font provided here, the value of iskip will be 55, resulting in an out-of-bound read when the program performs a jump to **ip. This memory is memory that was previously allocated for data. This allows an attacker to potentially execute arbitrary code.

The malicious font provided here can be used to generate the problem by using the ‘simple’ test program provided with libgraphite and the parameter ‘test’: ./simple maliciousfont test

Credit

Discovered by Yves Younan of Cisco Talos.