'[oss-security] CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0
From:       Alex Murray <alex.murray () canonical ! com>
Date:       2019-11-08 13:05:35
Message-ID: 87zhh6a5rk.fsf () canonical ! com
[Download RAW message or body]

CVE-2019-18397 - GNU FriBidi stack buffer overflow >= 1.0.0
-----------------------------------------------------------

Overview:
 A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
 function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
 allows an attacker to cause a denial of service or possibly execute
 arbitrary code by delivering crafted text content to a user, when this
 content is then rendered by an application that uses FriBidi for text
 layout calculations. Examples include any GNOME or GTK+ based
 application that uses Pango for text rendering, as this internally uses
 FriBidi for bidirectional text layout. For example, the attacker can
 construct a crafted text file to be opened in GEdit, a crafted IRC
 message to be viewed in HexChat or a crafted email to be viewed in
 Evolution.

Detailed analysis:
 The function fribidi_get_par_embedding_levels_ex()
 in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a
 fixed size buffer base_level_per_iso_level which is used to accumulate
 the current isolate level while calculating the bi-directional
 embedding levels of the requested text paragraph.

 ...
 FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL];
 ...

 When accumulating into this buffer, the index is incremented without
 any check for overflow of the buffer length, resulting in a stack
 buffer overflow when processing more then
 FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements.

 ...
          RL_ISOLATE_LEVEL (pp) = isolate_level++;
          base_level_per_iso_level[isolate_level] = new_level;
 ...

 This is fixed by checking the current value of isolate_level against
 the size of base_level_per_iso_level
 (ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only
 incremented when it will not subsequently overflow the bounds of the
 array.

Affected Versions:
 From 1.0.0 to 1.0.7 (no official upstream release has been made
 containing the fix)

References:
 https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568

CRD:
 2019-11-07 17:00 UTC

Credit:
 Alex Murray of the Ubuntu Security Team

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic