The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "T1 Font Integer Overflow"
m (DejaVu moved to T1 Font Integer Overflow: It's a more proper vulnerability name.) |
m (→Description: avoid line breaks within code fragments) |
||
Line 5: | Line 5: | ||
== Description == |
== Description == |
||
− | When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder |
+ | When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. |
This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. Its CVE identifier is ''CVE-2011-0202''. |
This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. Its CVE identifier is ''CVE-2011-0202''. |
Revision as of 09:46, 9 July 2011
The T1 Font Integer Overflow (A.K.A DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is a vulnerability used in Saffron.
Credit for Exploitation
Description
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback.
This vulnerability was actually addressed by Apple in Template:Wp/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is CVE-2011-0202.