The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Malformed CFF Vulnerability
This vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a problem with the PDF parser, although the malformed font was placed in a PDF for exploitation.
Credit
exploit
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c --- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700 @@ -204,7 +204,7 @@ 2, /* hsbw */ 0, 0, - 0, + 1, 5, /* seac */ 4, /* sbw */ 2 /* setcurrentpoint */ @@ -2041,6 +2041,9 @@ if ( Rand >= 0x8000L ) Rand++; + if ( args - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + args[0] = Rand; seed = FT_MulFix( seed, 0x10000L - seed ); if ( seed == 0 ) @@ -2166,6 +2169,9 @@ case cff_op_dup: FT_TRACE4(( " dup\n" )); + if ( args + 1 - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + args[1] = args[0]; args += 2; break;