Difference between revisions of "T1 Font Integer Overflow"

Revision as of 01:21, 7 July 2011

DejaVu [1] is a vulnerability used Saffron.

Description

The pdf bug used in Saffron is like an integer checking problem. When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top points to data outside of decoder->stack. Actually it points to decoder->parse_callback.

Sources: 1 2 3

Credit

comex

Revision as of 01:20, 7 July 2011 (view source) Dialexio (talk \| contribs) m (Ndrv setspec() Integer Overflow moved to DejaVu: A misunderstanding occurred.) ← Older edit		Revision as of 01:21, 7 July 2011 (view source) Jacob (talk \| contribs) m Newer edit →
Line 1:		Line 1:
−	~~The Ndrv setspec() Integer Overflow also known as~~ DejaVu [http://twitter.com/#!/comex/status/88208990789578752] is a vulnerability used [[Saffron]].	+	DejaVu [http://twitter.com/#!/comex/status/88208990789578752] is a vulnerability used [[Saffron]].

	== Description ==		== Description ==

Difference between revisions of "T1 Font Integer Overflow"

Revision as of 01:21, 7 July 2011

Description

Credit

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Miscellaneous

Tools