|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "T1 Font Integer Overflow"
m (Just a start..) |
m (Yes, I know it is sloppy :)) |
||
| Line 1: | Line 1: | ||
The Ndrv setspec() Integer Overflow also known as DejaVu [http://twitter.com/#!/comex/status/88208990789578752] is a vulnerability used [[Saffron]]. |
The Ndrv setspec() Integer Overflow also known as DejaVu [http://twitter.com/#!/comex/status/88208990789578752] is a vulnerability used [[Saffron]]. |
||
| + | |||
| + | == Description == |
||
| + | The pdf bug used in [[Saffron]] is like an integer checking problem. When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top points to data outside of decoder->stack. Actually it points to decoder->parse_callback. |
||
| + | |||
| + | Sources: |
||
| + | [http://twitter.com/#!/windknown/status/88170553948651520 1] |
||
| + | [http://twitter.com/#!/windknown/status/88171950886760448 2] |
||
| + | [http://twitter.com/#!/windknown/status/88172830029651968 3] |
||
== Credit == |
== Credit == |
||
Revision as of 23:49, 6 July 2011
The Ndrv setspec() Integer Overflow also known as DejaVu [1] is a vulnerability used Saffron.
Description
The pdf bug used in Saffron is like an integer checking problem. When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top points to data outside of decoder->stack. Actually it points to decoder->parse_callback.
