Malformed CFF Vulnerability

From The Apple Wiki
(Redirected from PDF CFF Font Stack Overflow)
Malformed CFF Vulnerability
Vulnerability in FreeType
Software
Vulnerable versions
  • iOS 3.1.2 - 4.0.1 (iPhone/iPod touch)
  • iOS 3.2 - 3.2.1 (iPad)
  • iPod nano (6th and 7th generation) Software
Fixed in version
  • iOS 4.0.2 (iPhone/iPod touch)
  • iOS 3.2.2 (iPad)
Disclosed1 August 2010
Discovered bycomex
CVECVE-2010-1797
Apple KB


The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.

On 31 December 2023, the freemyipod project announced the successful use of this vulnerability to achieve unsigned code execution on the iPod nano (6th and 7th generation) for the first time. A proof-of-concept exploit was released on GitHub as ipod_sun.

Fix

The following patch was used to fix the bug: 

diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c
--- freetype-2.4.1/src/cff/cffgload.c	2010-07-15 09:26:45.000000000 -0700
@@ -204,7 +204,7 @@
    2, /* hsbw */
    0,
    0,
-    0,
+    1,
    5, /* seac */
    4, /* sbw */
    2  /* setcurrentpoint */
@@ -2041,6 +2041,9 @@
            if ( Rand >= 0x8000L )
              Rand++;

+            if ( args - stack >= CFF_MAX_OPERANDS )
+                goto Stack_Overflow;
+			  
            args[0] = Rand;
            seed    = FT_MulFix( seed, 0x10000L - seed );
            if ( seed == 0 )
@@ -2166,6 +2169,9 @@
        case cff_op_dup:
          FT_TRACE4(( " dup\n" ));

+          if ( args + 1 - stack >= CFF_MAX_OPERANDS )
+            goto Stack_Overflow;
+                
          args[1] = args[0];
          args += 2;
          break;
Retrieved from "https://theapplewiki.com/index.php?title=Malformed_CFF_Vulnerability&oldid=207455"