oss-sec mailing list archives
CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0
From: Alex Murray <alex.murray () canonical com>
Date: Fri, 08 Nov 2019 23:23:35 +1030
CVE-2019-18397 - GNU FriBidi stack buffer overflow >= 1.0.0 ----------------------------------------------------------- Overview: A stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text rendering, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, a crafted IRC message to be viewed in HexChat or a crafted email to be viewed in Evolution. Detailed analysis: The function fribidi_get_par_embedding_levels_ex() in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a fixed size buffer base_level_per_iso_level which is used to accumulate the current isolate level while calculating the bi-directional embedding levels of the requested text paragraph. ... FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL]; ... When accumulating into this buffer, the index is incremented without any check for overflow of the buffer length, resulting in a stack buffer overflow when processing more then FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements. ... RL_ISOLATE_LEVEL (pp) = isolate_level++; base_level_per_iso_level[isolate_level] = new_level; ... This is fixed by checking the current value of isolate_level against the size of base_level_per_iso_level (ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only incremented when it will not subsequently overflow the bounds of the array. Affected Versions: From 1.0.0 to 1.0.7 (no official upstream release has been made containing the fix) References: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568 CRD: 2019-11-07 17:00 UTC Credit: Alex Murray of the Ubuntu Security Team
Current thread:
- CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0 Alex Murray (Nov 08)