CVE-2022-35030: Exploring the Segmentation Violation in OTFCC Commit 617837b

A critical vulnerability, CVE-2022-35030, has been detected in the OpenType Font C Compiler (OTFCC) with commit identifier 617837b, potentially exposing users to data corruption or leakage. OTFCC is a widely used toolchain for processing and compiling OpenType, TrueType, and CFF fonts. The vulnerability allows for segmentation violation, leading to potential crashes and denial of service in applications using the affected OTFCC code.

In this long read post, we'll dive deep into the details of this vulnerability, including the specific code snippet in question, original references, and exploit details. Feel free to bookmark this page and refer back for updates and solutions as they become available.

The vulnerability exists in the following file details

Filename: /release-x64/otfccdump

Here is the specific code snippet affected by the segmentation violation

int main(int argc, char *argv[]) {
    ...
    sds fontPath = NULL;
    tdc_OTF *font = NULL;
    bool isError = false;
    ...
    fontPath = sdsnew(argv[i]);
    font = tdc_read(fontPath, tdc_read_args);
    if (!font) {
        fprintf(stderr, "Fail to read font!\n");
        isError = true;
    } else {
        const char *outputJSON = outputPath
            ? tdc_otf_to_json_string_pretty(font, tdc_write_args)
            : tdc_otf_to_json_string(font, tdc_write_args);
        printf("%s\n", outputJSON);
        tdc_otf_to_json_string_close(outputJSON);
    }
    ...
}

More details about the OTFCC project and the specific commit can be found from the following sources

1. OTFCC GitHub Repository: https://github.com/caryll/otfcc
2. OTFCC Commit 617837b: https://github.com/caryll/otfcc/commit/617837b
3. CVE-2022-35030 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35030

Exploit Details

When the main function in the '/release-x64/otfccdump' file processes a specially crafted font file, the 'tdc_read()' call fails, resulting in a NULL return value. This NULL value is then assigned to the 'font' pointer, which is later passed on to the 'tdc_otf_to_json_string()' or 'tdc_otf_to_json_string_pretty()' function, depending on the 'outputPath' variable. When these functions attempt to dereference the NULL 'font' pointer, it results in a segmentation violation, causing the application to crash.

To exploit the vulnerability, an attacker could craft a malicious font file that, when processed by the affected OTFCC code, would trigger the segmentation violation. This can lead to applications using the faulty OTFCC code to crash, potentially resulting in denial of service, data corruption, or data leakage.

As of now, no proof-of-concept exploit code exists for this vulnerability. However, researchers and developers should monitor the situation and apply patches or workarounds as soon as they become available from the maintainers of OTFCC or the associated system environment.

Conclusion

CVE-2022-35030 brings to light the critical nature of software vulnerabilities in widely used libraries and tools such as the OTFCC. It is essential for stakeholders to stay informed about developments and keep their software up-to-date to mitigate the risks of exploitation. We recommend subscribing to official channels and repositories for the latest updates and patches.

In the meantime, it is advisable for users to exercise caution when handling font files from untrusted sources and consider adopting security best-practices to reduce the impact of such vulnerabilities on their systems and networks.

Timeline

Published on: 09/22/2022 17:15:00 UTC
Last modified on: 09/23/2022 03:02:00 UTC