xorl %eax, %eax

CVE-2010-2641: Evince VF Parser Array Index Error

leave a comment »

Following CVE-2010-2643 and CVE-2010-2642 we have this one. In this case the vulnerable function is placed in backend/dvi/mdvi-lib/vf.c where the VF font file format parser is located.

static int vf_load_font(DviParams *params, DviFont *font)
{
        FILE    *p;
        Uchar   *macros;
        int     msize;
        int     mlen;
  ...
        /* now read the characters themselves */
        while(op <= 242) {
  ...
                if(op == 242) {
  ...
                } else {
                        pl = op;
                        cc = fuget1(p);
  ...
                if(loc < 0 || cc < loc)
                        loc = cc;
                if(hic < 0 || cc > hic)
                        hic = cc;
                if(cc >= nchars) {
                        font->chars = xresize(font->chars, 
                                DviFontChar, cc + 16);
                        for(i = nchars; i < cc + 16; i++)
                                font->chars[i].offset = 0;
                        nchars = cc + 16;
                }
                if(font->chars[cc].offset) {
                        mdvi_error(_("(vf) %s: character %d redefined\n"),
                                   font->fontname, cc);
                        goto error;
                }
  ...
                font->chars[cc].width = pl + 1;
                font->chars[cc].code = cc;
                font->chars[cc].tfmwidth = TFMSCALE(tfm, z, alpha, beta);
                font->chars[cc].offset = mlen;
                font->chars[cc].loaded = 1;
  ...
        if(macros)
                mdvi_free(macros);
        return -1;
}

During the ‘while’ loop that reads the characters which is shown above, it uses the ‘cc’ character obtained directly from the VF file using fuget1() routine as an index to the ‘font->chars[]’ array. However, it lacks some checks that could lead to using an invalid index that will eventually result in arbitrary read/write operations.
To fix this the following patch was applied.

                        tfm = fuget3(p);
                }
+               if (cc < 0 || cc > 65536) {
+                       /* TeX engines do not support char codes bigger than 65535 */
+                       mdvi_error(_("(vf) %s: unexpected character %d\n"),
+                                  font->fontname, cc);
+                       goto error;
+               }
                if(loc < 0 || cc < loc)
                        loc = cc;

Written by xorl

January 14, 2011 at 14:37

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s