The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

T1 Font Integer Overflow

From The iPhone Wiki
Revision as of 20:00, 9 October 2012 by 5urd (talk | contribs)
Jump to: navigation, search

The T1 Font Integer Overflow (a.k.a DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is a vulnerability used in Saffron.

Credit

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.

This vulnerability was actually addressed by Apple in Mac OS X v10.6.8 (Security Update 2011-004), but a fix was never pushed to iOS. (CVE-2011-0202).

When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).

External Links

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=T1_Font_Integer_Overflow&oldid=27100"