T1 Font Integer Overflow

From The iPhone Wiki
Revision as of 23:49, 6 July 2011 by Jacob (talk | contribs) (Yes, I know it is sloppy :))
Jump to: navigation, search

The Ndrv setspec() Integer Overflow also known as DejaVu [1] is a vulnerability used Saffron.

Description

The pdf bug used in Saffron is like an integer checking problem. When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top points to data outside of decoder->stack. Actually it points to decoder->parse_callback.

Sources: 1 2 3

Credit

comex