The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malformed CFF Vulnerability"
(Made it more like the other exploit pages.) |
m (Added CVE) |
||
(6 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | + | The '''Malformed CFF Vulnerability''', along with the [[IOSurface Kernel Exploit]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a stack overflow in the handling of [[wikipedia:PostScript fonts#Compact Font Format|CFF]] opcodes. Contrary to popular belief, it is '''not''' a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation. |
|
== Credit == |
== Credit == |
||
− | [[User:Comex|comex]] |
+ | * [[User:Comex|comex]] |
+ | == Exploit == |
||
+ | diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c |
||
+ | --- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700 |
||
+ | @@ -204,7 +204,7 @@ |
||
+ | 2, /* hsbw */ |
||
+ | 0, |
||
+ | 0, |
||
+ | - 0, |
||
+ | + 1, |
||
+ | 5, /* seac */ |
||
+ | 4, /* sbw */ |
||
+ | 2 /* setcurrentpoint */ |
||
+ | @@ -2041,6 +2041,9 @@ |
||
+ | if ( Rand >= 0x8000L ) |
||
+ | Rand++; |
||
+ | |||
+ | + if ( args - stack >= CFF_MAX_OPERANDS ) |
||
+ | + goto Stack_Overflow; |
||
+ | + |
||
+ | args[0] = Rand; |
||
+ | seed = FT_MulFix( seed, 0x10000L - seed ); |
||
+ | if ( seed == 0 ) |
||
+ | @@ -2166,6 +2169,9 @@ |
||
+ | case cff_op_dup: |
||
+ | FT_TRACE4(( " dup\n" )); |
||
+ | |||
+ | + if ( args + 1 - stack >= CFF_MAX_OPERANDS ) |
||
+ | + goto Stack_Overflow; |
||
+ | + |
||
+ | args[1] = args[0]; |
||
+ | args += 2; |
||
+ | break; |
||
+ | == Sources == |
||
+ | *http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 |
||
[[Category:Exploits]] |
[[Category:Exploits]] |
Latest revision as of 20:17, 9 July 2011
The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.
Credit
Exploit
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c --- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700 @@ -204,7 +204,7 @@ 2, /* hsbw */ 0, 0, - 0, + 1, 5, /* seac */ 4, /* sbw */ 2 /* setcurrentpoint */ @@ -2041,6 +2041,9 @@ if ( Rand >= 0x8000L ) Rand++; + if ( args - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + args[0] = Rand; seed = FT_MulFix( seed, 0x10000L - seed ); if ( seed == 0 ) @@ -2166,6 +2169,9 @@ case cff_op_dup: FT_TRACE4(( " dup\n" )); + if ( args + 1 - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + args[1] = args[0]; args += 2; break;