Microsoft Windows - 'USP10!otlSinglePosLookup::getCoverageTable' Uniscribe Font Processing Out-of-Bounds Memory Read

EDB-ID: 42239
Author: Google Security Research
Published: 2017-06-23
CVE: CVE-2017-0287
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

  
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlSinglePosLookup::getCoverageTable function, while trying to display text using a corrupted TTF font file:

---
(7f0.488): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03670ffe ebx=0365c048 ecx=03671000 edx=03671000 esi=03671000 edi=0024e9d4
eip=77500808 esp=0024e918 ebp=0024e918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
USP10!otlSinglePosLookup::getCoverageTable+0x48:
77500808 668b4802 mov cx,word ptr [eax+2] ds:0023:03671000=????
0:000> kb
# ChildEBP RetAddr Args to Child
00 0024e918 77502c4b 0024e9d4 03671000 03671000 USP10!otlSinglePosLookup::getCoverageTable+0x48
01 0024e964 77504860 03670ffe 534f5047 00000001 USP10!GetSubtableCoverage+0xab
02 0024ea10 77504c29 534f5047 0367f132 00003ece USP10!BuildTableCache+0x240
03 0024ea48 774fed73 0024ea6c 00004000 0367f000 USP10!BuildCache+0x79
04 0024ea74 774e4fec 0024eaa0 00004000 0024eb44 USP10!BuildOtlCache+0x53
05 0024ecc0 774bd37b 0024edb8 0024ed48 0024ecd8 USP10!ShapingCreateFontCacheData+0x4cc
06 0024edc0 774bd8ef 03663e20 0024f148 00000004 USP10!ShlLoadFont+0x6b
07 0024f02c 774b9317 3c0102ac 0024f0b8 00000000 USP10!LoadFont+0x54f
08 0024f048 774b9630 3c0102ac 0024f070 7750d468 USP10!FindOrCreateFaceCache+0xe7
09 0024f150 774b99bb 3c0102ac 03656124 3c0102ac USP10!FindOrCreateSizeCacheWithoutRealizationID+0xf0
0a 0024f178 774ba528 3c0102ac 03656124 03656124 USP10!FindOrCreateSizeCacheUsingRealizationID+0xbb
0b 0024f19c 774ba692 03656124 3c0102ac 03656000 USP10!UpdateCache+0x38
0c 0024f1b0 774b7918 3c0102ac 000004a0 00000400 USP10!ScriptCheckCache+0x62
0d 0024f1cc 760a1736 3c0102ac 03656040 00000001 USP10!ScriptStringAnalyse+0x198
0e 0024f218 760a18c1 3c0102ac 0024f69e 00000001 LPK!LpkStringAnalyse+0xe5
0f 0024f314 760a17b4 3c0102ac 00000000 00000000 LPK!LpkCharsetDraw+0x332
10 0024f348 77df56a9 3c0102ac 00000000 00000000 LPK!LpkDrawTextEx+0x40
11 0024f388 77df5a64 3c0102ac 00000048 00000000 USER32!DT_DrawStr+0x13c
12 0024f3d4 77df580f 3c0102ac 0024f69e 0024f6a0 USER32!DT_GetLineBreak+0x78
13 0024f480 77df5882 3c0102ac 00000000 00000009 USER32!DrawTextExWorker+0x250
14 0024f4a4 77df5b68 3c0102ac 0024f69c ffffffff USER32!DrawTextExW+0x1e
[...]

0:000> !heap -p -a eax
address 03670ffe found in
_DPH_HEAP_ROOT @ 3651000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
3651d98: 3670c40 3c0 - 3670000 2000
73388e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77d26206 ntdll!RtlDebugAllocateHeap+0x00000030
77cea127 ntdll!RtlpAllocateHeap+0x000000c4
77cb5950 ntdll!RtlAllocateHeap+0x0000023a
72e0ae6a vrfcore!VfCoreRtlAllocateHeap+0x0000002a
774c6724 USP10!UspAllocCache+0x00000054
774bad00 USP10!GetOtlTables+0x000000d0
774d777f USP10!CheckUpdateFontDescriptor+0x0000002f
774bd8e2 USP10!LoadFont+0x00000542
774b9317 USP10!FindOrCreateFaceCache+0x000000e7
774b9630 USP10!FindOrCreateSizeCacheWithoutRealizationID+0x000000f0
774b99bb USP10!FindOrCreateSizeCacheUsingRealizationID+0x000000bb
774ba528 USP10!UpdateCache+0x00000038
774ba692 USP10!ScriptCheckCache+0x00000062
774b7918 USP10!ScriptStringAnalyse+0x00000198
760a1736 LPK!LpkStringAnalyse+0x000000e5
760a18c1 LPK!LpkCharsetDraw+0x00000332
760a17b4 LPK!LpkDrawTextEx+0x00000040
77df56a9 USER32!DT_DrawStr+0x0000013c
77df5a64 USER32!DT_GetLineBreak+0x00000078
77df580f USER32!DrawTextExWorker+0x00000250
77df5882 USER32!DrawTextExW+0x0000001e
77df5b68 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7, and could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached are 3 proof of concept malformed font files which trigger the crash.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42239.zip

Related Posts