Talos Vulnerability Report

TALOS-2016-0060

Libgraphite Bidirectional Font mFeatureMap Denial of Service Vulnerability

February 5, 2016

Report ID

CVE-2016-1522

Description

An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash. An attacker can provide a malicious font to trigger this vulnerability.

Tested Versions

Libgraphite 2-1.2.4

Product URLs

http://sourceforge.net/projects/silgraphite/files/graphite2/

Details

The attached font will generate a NULL pointer dereference when used.

When the font is loaded via grmakefile_face, the function readFeats will be called at line 190 in the file FeatureMap.cpp in the function SillMap::readFace.

if (!m_FeatureMap.readFeats(face)) return false;

At line 110, in the function readFeats, mnumFeats will be assigned the value 0. This results in a return from the readFeats function at line 115. However the return will return the value true. This results in none of the variables in mFeatureMap being initialized even though the font will load without any errors being returned. If the function grmakeseg is later called on this font, the call to SillMap::cloneFeatures will fail at line 241 because it tries to dereference mFeatureMap.mdefaultFeatures, which is set to 0.

return new Features (*m_FeatureMap.m_defaultFeatures);

A similar error can occur at line 103 in the same function if the constructor for Table fails.

Credit

Discovered by Yves Younan of Cisco Talos.