Talos Vulnerability Report
Libgraphite Bidirectional Font mFeatureMap Denial of Service Vulnerability
February 5, 2016
An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash. An attacker can provide a malicious font to trigger this vulnerability.
The attached font will generate a NULL pointer dereference when used.
When the font is loaded via grmakefile_face, the function readFeats will be called at line 190 in the file FeatureMap.cpp in the function SillMap::readFace.
if (!m_FeatureMap.readFeats(face)) return false;
At line 110, in the function readFeats, mnumFeats will be assigned the value 0. This results in a return from the readFeats function at line 115. However the return will return the value true. This results in none of the variables in mFeatureMap being initialized even though the font will load without any errors being returned. If the function grmakeseg is later called on this font, the call to SillMap::cloneFeatures will fail at line 241 because it tries to dereference mFeatureMap.mdefaultFeatures, which is set to 0.
return new Features (*m_FeatureMap.m_defaultFeatures);
A similar error can occur at line 103 in the same function if the constructor for Table fails.
Discovered by Yves Younan of Cisco Talos.