<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Alex Murray <alex.murray () canonical com>
Date: Fri, 08 Nov 2019 23:23:35 +1030
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2019-18397 - GNU FriBidi stack buffer overflow >= 1.0.0
-----------------------------------------------------------
Overview:
A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
allows an attacker to cause a denial of service or possibly execute
arbitrary code by delivering crafted text content to a user, when this
content is then rendered by an application that uses FriBidi for text
layout calculations. Examples include any GNOME or GTK+ based
application that uses Pango for text rendering, as this internally uses
FriBidi for bidirectional text layout. For example, the attacker can
construct a crafted text file to be opened in GEdit, a crafted IRC
message to be viewed in HexChat or a crafted email to be viewed in
Evolution.
Detailed analysis:
The function fribidi_get_par_embedding_levels_ex()
in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a
fixed size buffer base_level_per_iso_level which is used to accumulate
the current isolate level while calculating the bi-directional
embedding levels of the requested text paragraph.
...
FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL];
...
When accumulating into this buffer, the index is incremented without
any check for overflow of the buffer length, resulting in a stack
buffer overflow when processing more then
FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements.
...
RL_ISOLATE_LEVEL (pp) = isolate_level++;
base_level_per_iso_level[isolate_level] = new_level;
...
This is fixed by checking the current value of isolate_level against
the size of base_level_per_iso_level
(ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only
incremented when it will not subsequently overflow the bounds of the
array.
Affected Versions:
From 1.0.0 to 1.0.7 (no official upstream release has been made
containing the fix)
References:
https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
CRD:
2019-11-07 17:00 UTC
Credit:
Alex Murray of the Ubuntu Security Team
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0 Alex Murray (Nov 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->