Malformed CFF Vulnerability

The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.

Credit

 * comex

Exploit
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c --- freetype-2.4.1/src/cff/cffgload.c	2010-07-15 09:26:45.000000000 -0700 @@ -204,7 +204,7 @@    2, /* hsbw */ 0,    0, -    0, +    1,     5, /* seac */ 4, /* sbw */ 2 /* setcurrentpoint */ @@ -2041,6 +2041,9 @@            if ( Rand >= 0x8000L ) Rand++; +           if ( args - stack >= CFF_MAX_OPERANDS ) +               goto Stack_Overflow; +			              args[0] = Rand; seed   = FT_MulFix( seed, 0x10000L - seed ); if ( seed == 0 ) @@ -2166,6 +2169,9 @@        case cff_op_dup: FT_TRACE4(( " dup\n" )); +         if ( args + 1 - stack >= CFF_MAX_OPERANDS ) +           goto Stack_Overflow; +                          args[1] = args[0]; args += 2; break;