Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you the principle analysis of Chrome FreeType font library heap overflow vulnerability CVE-2020-15999. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Brief introduction of vulnerabilities

Google announced that there was a heap overflow in the FreeType font library of older chrome browsers, which could lead to RCE (remote code execution).

Security experts recommend that users upgrade to a version later than 86.0.4240.111 as soon as possible to address the risk.

Loophole principle

1. TTF embedded picture

TTF fonts support embedding pictures in PNG format as glyph data. When embedding, the picture data will be saved in the SBIX table of the font file. During processing, the font will be rendered by extracting the information accessed in the PNG in the SBIX table. The format in the SBIX table is as follows:

StrikeOffset in SBIX stores the offset of Strikes data information, and glyphDataOffset in Strikes stores the offset of specific glyph information. The format of Strikes format and glyph information is as follows:

The data in the glyph information stores the embedded picture information. The following is the SBIX in the sample and the stored picture information.

The PNG picture information is saved at hex (0x1a30 + 0x5aaec + 0x8) = 0x5c524. You can see some basic information of the image through IHDR, as shown in the following figure:

2. Implementation of Load_SBit_Png function

The extraction of PNG picture information in FreeType library is realized by Load_SBit_Png function. The processing flow of the Load_SBit_Png function is as follows:

1. Parse the memory pointed to by data in the glyph information to PNG

two。 Extract the information stored in IHDR of the parsed image (image width and height, depth and color type, etc.)

3. Extract the parsed information into the glyph information

4. Open up memory to save picture information according to the previous parsed information

Third, loophole principle

The vulnerability occurs in the process of extracting parsed picture information to glyph information. The data type of width and height stored by IHDR in PNG image is uint32. When storing glyph information, it will be converted to unsigned short type. At this time, truncation will occur if the width and height information of the picture is greater than 0x7FFF.

After that, the corresponding data stored in the glyph information is transferred to the bitmap used to store the glyph information of the PNG image. The rows in the bitmap corresponds to the height of the picture, the width corresponds to the width of the picture, and the pitch corresponds to the number of bytes occupied by each line of bitmap, that is, the width * 4. The ft_glyphslot_alloc_bitmap function is then called to complete the allocation of memory used to store image information in bitmap. As shown in the figure below, the memory allocated is map- > rows * (FT_ULong) map- > pitch, that is, the height * the number of bytes occupied per line. Then call png_read_image to read the image information to bitmap- > buffer. If the height of the PNG picture is truncated, it will result in insufficient allocated memory and a heap overflow while reading the picture information.

The bitmap information after the overflow is shown in the figure below. The length of buffer is 0xa3 * 0xc. Viewing the data after buffer shows that it has been overwritten.

Vulnerability verification

First, verify in 87.0.4247.0 (developer build)

II. Analysis of 86.0.4240.111 version repair

Compare whether imgWidth and imgHeight are greater than 0x7FFF. If so, exit.

The above is the principle analysis of the Chrome FreeType font library heap overflow vulnerability CVE-2020-15999 shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.