oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0

From: Alex Murray <alex.murray () canonical com>
Date: Fri, 08 Nov 2019 23:23:35 +1030
CVE-2019-18397 - GNU FriBidi stack buffer overflow >= 1.0.0
-----------------------------------------------------------

Overview:
 A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
 function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
 allows an attacker to cause a denial of service or possibly execute
 arbitrary code by delivering crafted text content to a user, when this
 content is then rendered by an application that uses FriBidi for text
 layout calculations. Examples include any GNOME or GTK+ based
 application that uses Pango for text rendering, as this internally uses
 FriBidi for bidirectional text layout. For example, the attacker can
 construct a crafted text file to be opened in GEdit, a crafted IRC
 message to be viewed in HexChat or a crafted email to be viewed in
 Evolution.

Detailed analysis:
 The function fribidi_get_par_embedding_levels_ex()
 in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a
 fixed size buffer base_level_per_iso_level which is used to accumulate
 the current isolate level while calculating the bi-directional
 embedding levels of the requested text paragraph.

 ...
 FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL];
 ...

 When accumulating into this buffer, the index is incremented without
 any check for overflow of the buffer length, resulting in a stack
 buffer overflow when processing more then
 FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements.

 ...
          RL_ISOLATE_LEVEL (pp) = isolate_level++;
          base_level_per_iso_level[isolate_level] = new_level;
 ...

 This is fixed by checking the current value of isolate_level against
 the size of base_level_per_iso_level
 (ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only
 incremented when it will not subsequently overflow the bounds of the
 array.

Affected Versions:
 From 1.0.0 to 1.0.7 (no official upstream release has been made
 containing the fix)

References:
 https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568

CRD:
 2019-11-07 17:00 UTC

Credit:
 Alex Murray of the Ubuntu Security Team
Previous By Date Next
Previous By Thread Next

Current thread: