xorl %eax, %eax

CVE-2010-2643: Evince TFM Font Parser Integer Overflow

leave a comment »

This is a vulnerability from the DVI (Device Independent File Format) rendering component of GNOME Evince 2.32.0 and prior versions. The vulnerability was reported to the Evince development team by Jon Larimer of IBM X-Force and it can be found at backend/dvi/mdvi-lib/tfmfile.c where the TFM (TeX Font Metric) font parser for DVI files resides.

int     tfm_load_file(const char *filename, TFMInfo *info)
{
        int     lf, lh, bc, ec, nw, nh, nd, ne;
        int     i, n;
    ...
        /* We read the entire TFM file into core */
        if(fstat(fileno(in), &st) < 0)
                return -1;
        if(st.st_size == 0)
                goto bad_tfm;

        /* allocate a word-aligned buffer to hold the file */
        size = 4 * ROUND(st.st_size, 4);
        if(size != st.st_size)
                mdvi_warning(_("Warning: TFM file `%s' has suspicious size\n"), 
                             filename);
        tfm = (Uchar *)mdvi_malloc(size);
        if(fread(tfm, st.st_size, 1, in) != 1)
    ...
bad_tfm:
        mdvi_error(_("%s: File corrupted, or not a TFM file\n"), filename);
error:
        if(tfm) mdvi_free(tfm);
        if(in)  fclose(in);
        return -1;      
}

This routine is used to load a TFM font file while processing a DVI document. As we can see, it uses fstat(2) to read the TFM file’s information. Then, the only check being performed is that it has zero size which will result in an error message using mdvi_error() internal function. However, there is no check of the supplied size for that file which could easily result in an integer overflow in the following calculation. Because of this, the next read and write operations will end up in access out of bounds of the incorrectly allocated heap space.
To fix this the following patch was committed.

        if(fstat(fileno(in), &st) < 0)
                return -1;
-       if(st.st_size == 0)
+       /* according to the spec, TFM files are smaller than 16K */
+       if(st.st_size == 0 || st.st_size >= 16384)
                goto bad_tfm;

Consequently, an attacker could use a specially crafted TFM font file with size larger than 16KB to trigger this vulnerability.

Written by xorl

January 14, 2011 at 14:00

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s