T1 Font Integer Overflow

From The iPhone Wiki
Revision as of 19:13, 7 July 2011 by Dialexio (talk | contribs) (DejaVu moved to T1 Font Integer Overflow: It's a more proper vulnerability name.)
Jump to: navigation, search

The T1 Font Integer Overflow (A.K.A DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is a vulnerability used in Saffron.

Credit for Exploitation

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top point to data outside of decoder->stack. Actually it points to decoder->parse_callback.

This vulnerability was actually addressed by Apple in Template:Wp/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is CVE-2011-0202.

Sources