oss-sec mailing list archives

Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0

From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 13 Mar 2025 22:04:21 +0100

Hi Marc,

On Thu, Mar 13, 2025 at 10:50:38AM -0400, Marc Deslauriers wrote:

Hi,

On 2025-03-12 16:57, Michel Lind wrote:

Description:

An out of bounds write exists in FreeType versions 2.13.0 and below
when attempting to parse font subglyph structures related to TrueType
GX and variable font files. The vulnerable code assigns a signed short
value to an unsigned long and then adds a static value causing it to
wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this
buffer. This may result in arbitrary code execution. This vulnerability
may have been exploited in the wild.

https://www.facebook.com/security/advisories/cve-2025-27363

This commit fixes most of the issue - except `limit` is still signed
short - but needs to be redone if you're backporting to 2.10.4

https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d


Perhaps I need more coffee this morning, but I'm having trouble
consolidating that patch with the description. If "limit" is the signed
short, what is the unsigned long?


It is related to this:
https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442
see
https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322#note_2822105
. The commit self is only in 2.13.3.

Also, if this is meant as the fix:

-        if ( FT_NEW_ARRAY( points, limit + 4 )    ||
-             FT_NEW_ARRAY( tags, limit + 4 )      ||
-             FT_NEW_ARRAY( contours, limit + 4 )  ||
-             FT_NEW_ARRAY( unrounded, limit + 4 ) )
+        if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) ||
+             FT_QNEW_ARRAY( outline.tags, limit )       ||
+             FT_QNEW_ARRAY( outline.contours, limit )   ||
+             FT_QNEW_ARRAY( unrounded, limit + 4 )      )

...not only would the remaining + 4 wrap around too, but FT_NEW_ARRAY
already checks for a value < 0, so I'm not sure that is it.

What am I not seeing?


Do you have already working backport set for 2.12.1 based version?

Regards,
Salvatore

Current thread:

CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 12)
- CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Douglas Bagnall (Mar 12)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Jonathan Wright (Mar 12)
- Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 13)
  - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Salvatore Bonaccorso (Mar 13)
  - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Vulnerability Disclosure (Mar 13)
    - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 13)
    - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)
    - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Michel Lind (Mar 14)
    - Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Marc Deslauriers (Mar 14)