Talos Vulnerability Report
Libgraphite LocaLookup Denial of Service Vulnerability
February 5, 2016
An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service. An attacker can provide a malicious font to trigger this vulnerability.
When reading an invalid font where the loca table size is set to 0 an out of bounds read will occur.
At line 187 in GlyphCache.cpp, the function Loader is defined which loads a number of tables from the font, including the loca table. At line 206 it will then call the function TtfUtil:LocaLookup with arguments that provide the number of glyphs, the local table and its size:
if (TtfUtil::LocaLookup(numglyphsgraphics-1, _loca, _loca.size(), _head) == sizet(-1))
At line 1164 in this function (in file TtfUtil.cpp), the loca table will be accessed using the number of glyphs:
return be::peek(pLongTable + nGlyphId);
A size check is performed at line 1161, but since the size is set to 0, this will always pass.
if (nGlyphId < (lLocaSize >> 2) - 1)
This will read out of the bounds of the table by an arbitrary 16-byte number, which will cause a denial of service and could potentially lead to an information leak.
The malicious font provided here can be used to generate the problem by using the ‘simple’ test program provided with libgraphite and the parameter ‘test’: ./simple maliciousfont test
Discovered by Yves Younan of Cisco Talos.