| Vulnerability in FreeType | |
|---|---|
| Software | |
| Vulnerable versions | |
| Fixed in version |
|
| Disclosed | 1 August 2010 |
| Discovered by | comex |
| CVE | CVE-2010-1797 |
| Apple KB | |
The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.
On 31 December 2023, the freemyipod project announced the successful use of this vulnerability to achieve unsigned code execution on the iPod nano (6th and 7th generation) for the first time. A proof-of-concept exploit was released on GitHub as ipod_sun.
The package PDF Patch was released on Telesphoreo to fix the vulnerability on devices jailbroken on a vulnerable version.
Fix
The following patch was used to fix the bug:
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c
--- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700
@@ -204,7 +204,7 @@
2, /* hsbw */
0,
0,
- 0,
+ 1,
5, /* seac */
4, /* sbw */
2 /* setcurrentpoint */
@@ -2041,6 +2041,9 @@
if ( Rand >= 0x8000L )
Rand++;
+ if ( args - stack >= CFF_MAX_OPERANDS )
+ goto Stack_Overflow;
+
args[0] = Rand;
seed = FT_MulFix( seed, 0x10000L - seed );
if ( seed == 0 )
@@ -2166,6 +2169,9 @@
case cff_op_dup:
FT_TRACE4(( " dup\n" ));
+ if ( args + 1 - stack >= CFF_MAX_OPERANDS )
+ goto Stack_Overflow;
+
args[1] = args[0];
args += 2;
break;
