If you’re working with font tools or processing OpenType font files, you might have come across OTFCC—a popular open-source font converter and dumper. In 2022, a significant vulnerability was uncovered in OTFCC that could open the door for attackers to corrupt memory through a heap buffer overflow. That bug is known as CVE-2022-35047.
In this post, we’ll break down what CVE-2022-35047 is all about, how it happens, and how an attacker could exploit it in practice. We’ll also look at the specific commit that introduced the bug—617837b—and give you pointers for securing your environment if you use OTFCC.
What is CVE-2022-35047?
CVE-2022-35047 is a heap buffer overflow vulnerability found in OTFCC, particularly in the otfccdump utility. If the user processes a specially crafted OpenType font file, the tool can write outside the bounds of heap-allocated memory. This can lead to crashes, data corruption, or even remote code execution in certain circumstances.
The vulnerability was found using security fuzzing tools and affects OTFCC as of commit 617837b. The overflow happens during the parsing of font data, which can be manipulated by an attacker with a malicious font file.
Technical Details
In commit 617837b, a parsing function in OTFCC does not properly check the boundaries of a buffer before writing to it. This mistake allows data to be written beyond the buffer’s allocated space.
The crash was first observed at /release-x64/otfccdump+x6b05aa—that is, an offset into the compiled otfccdump tool, corresponding to the vulnerable function.
Here’s a simplified code snippet illustrating what might happen (not the real code, but representative):
// Pseudo-code similar to the vulnerable function
void read_font_data(char *input, size_t input_length) {
char buffer[1024];
// Vulnerable: does not check input_length against buffer size
memcpy(buffer, input, input_length);
// ...process buffer...
}
If the input_length is greater than 1024, the memcpy call will write past the end of buffer, corrupting adjacent heap memory.
How Can This Be Exploited?
An attacker can craft a malicious OpenType font file whose internal structure tricks OTFCC’s parsing logic into writing more bytes than a buffer can hold. By controlling what is written where, attackers may:
Potentially execute arbitrary code, depending on OS, application, and heap layout
For example, using a fuzzing tool like AFL, a researcher could generate thousands of random font files targeting OTFCC until one causes the heap buffer overflow.
A sample PoC would look like this (conceptually)
# Generate a malicious font file (e.g., exploit.otf)
python create_bad_font.py > exploit.otf
# Run the vulnerable command
otfccdump exploit.otf
Here’s a minimal PoC in Python that creates an oversized, malformed font file
# create_bad_font.py
with open("exploit.otf", "wb") as f:
# Write fake OTF header
f.write(b"\x00" * 100)
# Append garbage to overflow the buffer
f.write(b"A" * 200)
Running otfccdump exploit.otf would crash the tool at the vulnerable location if built from commit 617837b.
References and Further Reading
- CVE-2022-35047 at CVE Details
- OTFCC commit 617837b
- Original issue and fuzzing report
- AFL (American Fuzzy Lop) Fuzzer
Patch and Mitigation
If you process untrusted font files or use OTFCC in production, upgrade to a version after commit 617837b. Always validate and sandbox font processing if possible.
The vulnerability is triggered by malformed font files, enabling out-of-bounds heap writes.
- It’s essential to upgrade to a patched release if you use OTFCC, especially in automated or exposed environments.
- For more technical details, see the official CVE entry and OTFCC's repository.
*Stay safe, and always keep your tooling up to date!*
Timeline
Published on: 10/14/2022 12:15:00 UTC
Last modified on: 10/15/2022 02:14:00 UTC