Microsoft Windows - 'USP10!NextCharInLiga' Uniscribe Font Processing Out-of-Bounds Memory Read

EDB-ID: 42238
Author: Google Security Research
Published: 2017-06-23
CVE: CVE-2017-0286
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

  
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!NextCharInLiga function, while trying to display text using a corrupted TTF font file:

---
(3d4.454): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000032c3 ebx=002cedbc ecx=00000002 edx=0372c060 esi=00000006 edi=00006586
eip=77505a5e esp=002ce974 ebp=002ce980 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
USP10!NextCharInLiga+0x1e:
77505a5e 0fb73c17 movzx edi,word ptr [edi+edx] ds:0023:037325e6=????
0:000> kb
# ChildEBP RetAddr Args to Child
00 002ce980 774ffbe3 002cedbc 000032c3 00000008 USP10!NextCharInLiga+0x1e
01 002ce99c 77506148 002cedbc 002cedb0 00000006 USP10!CharToComponent+0x43
02 002ce9c8 775062bb 002cedbc 002cedb0 00000009 USP10!findBaseLigature+0xa8
03 002cea0c 77501733 002cedbc 0374cd30 002cecbc USP10!otlMkLigaPosLookup::apply+0x9b
04 002cea78 775039f1 00000000 002cedbc 002cedb0 USP10!ApplyLookup+0x4b3
05 002cec7c 774ff1d1 534f5047 002cedf4 002cedbc USP10!ApplyFeatures+0x481
06 002cecc8 774fb28b 03758ffc 03758d68 002cedf4 USP10!RePositionOtlGlyphs+0x1c1
07 002cecfc 774f7df3 002ced94 002cede0 002cedf4 USP10!ShapingLibraryInternal::RePositionOtlGlyphsWithLanguageFallback+0x2b
08 002cef68 774e5bee 002cf0b8 002cf0c0 002cf0a4 USP10!GenericEngineGetGlyphPositions+0x8a3
09 002cf03c 774e2d8a 002cf0b8 002cf0c0 002cf0a4 USP10!ShapingGetGlyphPositions+0x40e
0a 002cf134 774b5e45 000105d3 03726124 0372c020 USP10!ShlPlace+0x20a
0b 002cf17c 774c193d 000105d3 03726124 037263dc USP10!ScriptPlace+0x165
0c 002cf1d8 774c2bd4 00000000 00000000 002cf258 USP10!RenderItemNoFallback+0x2ed
0d 002cf204 774c2e62 00000000 00000000 002cf258 USP10!RenderItemWithFallback+0x104
0e 002cf228 774c43f9 00000000 002cf258 03726124 USP10!RenderItem+0x22
0f 002cf26c 774b7a04 000004a0 00000400 000105d3 USP10!ScriptStringAnalyzeGlyphs+0x1e9
10 002cf284 760a1736 000105d3 03726040 0000000a USP10!ScriptStringAnalyse+0x284
11 002cf2d0 760a18c1 000105d3 002cf754 0000000a LPK!LpkStringAnalyse+0xe5
12 002cf3cc 760a17b4 000105d3 00000000 00000000 LPK!LpkCharsetDraw+0x332
13 002cf400 77df56a9 000105d3 00000000 00000000 LPK!LpkDrawTextEx+0x40
14 002cf440 77df5a64 000105d3 00000120 00000000 USER32!DT_DrawStr+0x13c
15 002cf48c 77df580f 000105d3 002cf754 002cf768 USER32!DT_GetLineBreak+0x78
16 002cf538 77df5882 000105d3 00000000 0000000a USER32!DrawTextExWorker+0x250
17 002cf55c 77df5b68 000105d3 002cf754 ffffffff USER32!DrawTextExW+0x1e
[...]
---

The issue reproduces on Windows 7, and could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached are 3 proof of concept malformed font files which trigger the crash.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42238.zip

Related Posts