|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "T1 Font Integer Overflow"
(→Description: Conjugate point correctly) |
m |
||
| Line 1: | Line 1: | ||
| − | The '''T1 Font Integer Overflow''' |
+ | The '''T1 Font Integer Overflow''' (A.K.A '''DejaVu''' as it is very similar to the [[Malformed CFF Vulnerability]][https://twitter.com/comex/status/88208990789578752]) is a vulnerability used in [[Saffron]]. |
== Credit for Exploitation == |
== Credit for Exploitation == |
||
| − | [[User:comex|comex]] |
+ | * [[User:comex|comex]] |
== Description == |
== Description == |
||
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top point to data outside of decoder->stack. Actually it points to decoder->parse_callback. |
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top point to data outside of decoder->stack. Actually it points to decoder->parse_callback. |
||
| − | This vulnerability was actually addressed by Apple in Mac OS X v10.6.8/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is |
+ | This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. Its CVE identifier is ''CVE-2011-0202''. |
==Sources== |
==Sources== |
||
* Tweets from [https://twitter.com/windknown @windknown]: [https://twitter.com/windknown/status/88170553948651520][https://twitter.com/windknown/status/88171950886760448][https://twitter.com/windknown/status/88172830029651968] |
* Tweets from [https://twitter.com/windknown @windknown]: [https://twitter.com/windknown/status/88170553948651520][https://twitter.com/windknown/status/88171950886760448][https://twitter.com/windknown/status/88172830029651968] |
||
| − | * http://support.apple.com/kb/HT4723 |
+ | * [http://support.apple.com/kb/HT4723 Apple KB] |
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202 |
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202 |
||
Revision as of 18:00, 7 July 2011
The T1 Font Integer Overflow (A.K.A DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is a vulnerability used in Saffron.
Credit for Exploitation
Description
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top point to data outside of decoder->stack. Actually it points to decoder->parse_callback.
This vulnerability was actually addressed by Apple in Template:Wp/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is CVE-2011-0202.
