Talos Vulnerability Report
Libgraphite directrun Opcode Handling Code Execution Vulnerability
February 5, 2016
An exploitable out-of-bounds read vulnerability exists in the opcode handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds read resulting in arbitrary code execution. An attacker can provide a malicious font to trigger this vulnerability.
If a malicious font is provided, an out of bounds read can occur while interpreting the opcodes in a font.
The problem occurs when executing the various opcodes in the function directrun in the file directmachine.cpp. At line 85, the interpreter for the opcodes will be executed by performing a goto instruction.
If the opcode in particular is a cntxt_item, then ip variable will be advanced by iskip bytes to find the next opcode and continue interpreting the opcodes. This is done at line 369 of opcodes.h.
ip += iskip;
However there are no checks to ensure that ip remains within the bounds of the memory allocated for the memory to be interpreted (the program variable). In the case of the malicious font provided here, the value of iskip will be 55, resulting in an out-of-bound read when the program performs a jump to **ip. This memory is memory that was previously allocated for data. This allows an attacker to potentially execute arbitrary code.
The malicious font provided here can be used to generate the problem by using the ‘simple’ test program provided with libgraphite and the parameter ‘test’: ./simple maliciousfont test
Discovered by Yves Younan of Cisco Talos.