https://sourceforge.net/p/fontforge/patches/41/Recent changes to 41: ZDI-CAN-28563: New Vulnerability ReportenFri, 12 Dec 2025 15:55:21 -0000https://sourceforge.net/p/fontforge/patches/41/<div class="markdown_content"><p>ZDI-CAN-28563: FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability</p> <p>-- CVSS -----------------------------------------</p> <p>8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</p> <p>-- ABSTRACT -------------------------------------</p> <p>Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:<br/> FontForge - FontForge</p> <p>-- VULNERABILITY DETAILS ------------------------<br/> * Version tested:aca4f524c6cb14cdc7bc4cd493492a33f5154797<br/> * Platform tested:ubuntu 24.04</p> <hr/> <h3 id="h-analysis">Analysis</h3> <div class="codehilite"><pre><span></span><code>array index OOB access vulnerability exists within the FontForge's SFD_GetFontMetaData() function. The corruption will be triggered when victim open the malicious sfd file with the fontforge application. </code></pre></div> <div class="codehilite"><pre><span></span><code><span class="kt">bool</span><span class="w"> </span><span class="nf">SFD_GetFontMetaData</span><span class="p">(</span><span class="w"> </span><span class="kt">FILE</span><span class="w"> </span><span class="o">*</span><span class="n">sfd</span><span class="p">,</span> <span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">tok</span><span class="p">,</span> <span class="w"> </span><span class="n">SplineFont</span><span class="w"> </span><span class="o">*</span><span class="n">sf</span><span class="p">,</span> <span class="w"> </span><span class="n">SFD_GetFontMetaDataData</span><span class="o">*</span><span class="w"> </span><span class="n">d</span><span class="w"> </span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="p">,</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="p">));</span><span class="w"> </span><span class="c1">// buffer</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">seconds</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">second_cnt</span><span class="p">,</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="p">));</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">offsets</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="o">*</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">second_cnt</span><span class="p">,</span><span class="k">sizeof</span><span class="p">(</span><span class="kt">int16_t</span><span class="p">));</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">adjusts</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="o">*</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">second_cnt</span><span class="p">,</span><span class="k">sizeof</span><span class="p">(</span><span class="n">DeviceTable</span><span class="p">));</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">kernclassversion</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts_flags</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="kt">int</span><span class="p">));</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">seconds_flags</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">second_cnt</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="kt">int</span><span class="p">));</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">offsets_flags</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="o">*</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">second_cnt</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="kt">int</span><span class="p">));</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts_names</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">));</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">seconds_names</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">calloc</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">second_cnt</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">i</span><span class="o">=</span><span class="n">classstart</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="o">&lt;</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">first_cnt</span><span class="p">;</span><span class="w"> </span><span class="o">++</span><span class="n">i</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">kernclassversion</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">getint</span><span class="p">(</span><span class="n">sfd</span><span class="p">,</span><span class="o">&amp;</span><span class="n">temp</span><span class="p">);</span><span class="w"> </span><span class="c1">// input</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">malloc</span><span class="p">(</span><span class="n">temp</span><span class="o">+</span><span class="mi">1</span><span class="p">);</span><span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="p">[</span><span class="n">i</span><span class="p">][</span><span class="n">temp</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sc">'\0'</span><span class="p">;</span><span class="w"> </span><span class="c1">// array index OOB write</span> <span class="w"> </span><span class="n">nlgetc</span><span class="p">(</span><span class="n">sfd</span><span class="p">);</span><span class="w"> </span><span class="cm">/* skip space */</span> <span class="w"> </span><span class="n">fread</span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="p">[</span><span class="n">i</span><span class="p">],</span><span class="mi">1</span><span class="p">,</span><span class="n">temp</span><span class="p">,</span><span class="n">sfd</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">getint</span><span class="p">(</span><span class="n">sfd</span><span class="p">,</span><span class="o">&amp;</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts_flags</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">((</span><span class="n">ch</span><span class="o">=</span><span class="n">nlgetc</span><span class="p">(</span><span class="n">sfd</span><span class="p">))</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">' '</span><span class="p">);</span><span class="w"> </span><span class="n">ungetc</span><span class="p">(</span><span class="n">ch</span><span class="p">,</span><span class="w"> </span><span class="n">sfd</span><span class="p">);</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">ch</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'\n'</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">ch</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">EOF</span><span class="p">)</span><span class="w"> </span><span class="k">continue</span><span class="p">;</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts_names</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SFDReadUTF7Str</span><span class="p">(</span><span class="n">sfd</span><span class="p">);</span> <span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">((</span><span class="n">ch</span><span class="o">=</span><span class="n">nlgetc</span><span class="p">(</span><span class="n">sfd</span><span class="p">))</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">' '</span><span class="p">);</span><span class="w"> </span><span class="n">ungetc</span><span class="p">(</span><span class="n">ch</span><span class="p">,</span><span class="w"> </span><span class="n">sfd</span><span class="p">);</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">ch</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'\n'</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">ch</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">EOF</span><span class="p">)</span><span class="w"> </span><span class="k">continue</span><span class="p">;</span> <span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SFDReadUTF7Str</span><span class="p">(</span><span class="n">sfd</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="n">kc</span><span class="o">-&gt;</span><span class="n">firsts</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">copy</span><span class="p">(</span><span class="s">""</span><span class="p">);</span><span class="w"> </span><span class="c1">// In certain places, this must be defined.</span> <span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">((</span><span class="n">ch</span><span class="o">=</span><span class="n">nlgetc</span><span class="p">(</span><span class="n">sfd</span><span class="p">))</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">' '</span><span class="w"> </span><span class="o">||</span><span class="w"> </span><span class="n">ch</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="sc">'\n'</span><span class="p">);</span><span class="w"> </span><span class="n">ungetc</span><span class="p">(</span><span class="n">ch</span><span class="p">,</span><span class="w"> </span><span class="n">sfd</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="p">...</span> </code></pre></div> <p>ASAN report</p> <div class="codehilite"><pre><span></span><code><span class="o">=================================================================</span> <span class="o">==</span><span class="mi">13734</span><span class="o">==</span><span class="nl">ERROR</span><span class="p">:</span><span class="w"> </span><span class="nl">AddressSanitizer</span><span class="p">:</span><span class="w"> </span><span class="n">heap</span><span class="o">-</span><span class="n">buffer</span><span class="o">-</span><span class="n">overflow</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="mh">0x50200012a8cf</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="n">pc</span><span class="w"> </span><span class="mh">0x725819ad049d</span><span class="w"> </span><span class="n">bp</span><span class="w"> </span><span class="mh">0x7ffe89c724b0</span><span class="w"> </span><span class="n">sp</span><span class="w"> </span><span class="mh">0x7ffe89c724a0</span> <span class="k">WRITE</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="k">size</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">at</span><span class="w"> </span><span class="mh">0x50200012a8cf</span><span class="w"> </span><span class="n">thread</span><span class="w"> </span><span class="n">T0</span> <span class="w"> </span><span class="n">#0</span><span class="w"> </span><span class="mh">0x725819ad049c</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">SFD_GetFontMetaData</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">sfd</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">8268</span> <span class="w"> </span><span class="n">#1</span><span class="w"> </span><span class="mh">0x725819ad4234</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">SFD_GetFont</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">sfd</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">8497</span> <span class="w"> </span><span class="n">#2</span><span class="w"> </span><span class="mh">0x725819ada408</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">SFD_Read</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">sfd</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">9078</span> <span class="w"> </span><span class="n">#3</span><span class="w"> </span><span class="mh">0x725819b2d525</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">_ReadSplineFont</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">splinefont</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">1226</span> <span class="w"> </span><span class="n">#4</span><span class="w"> </span><span class="mh">0x725819b2ddf0</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">LoadSplineFont</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">splinefont</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">1420</span> <span class="w"> </span><span class="n">#5</span><span class="w"> </span><span class="mh">0x72581978756f</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">ViewPostScriptFont</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontviewbase</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">1386</span> <span class="w"> </span><span class="n">#6</span><span class="w"> </span><span class="mh">0x5daf4be81c9f</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">fontforge_main</span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">fontforgeexe</span><span class="o">/</span><span class="n">startui</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">992</span> <span class="w"> </span><span class="n">#7</span><span class="w"> </span><span class="mh">0x725816c2a1c9</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">__libc_start_call_main</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">sysdeps</span><span class="o">/</span><span class="n">nptl</span><span class="o">/</span><span class="n">libc_start_call_main</span><span class="p">.</span><span class="nl">h</span><span class="p">:</span><span class="mi">58</span> <span class="w"> </span><span class="n">#8</span><span class="w"> </span><span class="mh">0x725816c2a28a</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">__libc_start_main_impl</span><span class="w"> </span><span class="p">..</span><span class="o">/</span><span class="n">csu</span><span class="o">/</span><span class="n">libc</span><span class="o">-</span><span class="k">start</span><span class="p">.</span><span class="nl">c</span><span class="p">:</span><span class="mi">360</span> <span class="w"> </span><span class="n">#9</span><span class="w"> </span><span class="mh">0x5daf4b9d3054</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">_start</span><span class="w"> </span><span class="p">(</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">wmliang</span><span class="o">/</span><span class="n">fontforge</span><span class="o">/</span><span class="n">build</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">fontforge</span><span class="o">+</span><span class="mh">0x180054</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="nl">BuildId</span><span class="p">:</span><span class="w"> </span><span class="mi">45</span><span class="n">c09de68bbe576c3dd1339975fca7d8df397ad1</span><span class="p">)</span> <span class="mh">0x50200012a8cf</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">located</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">bytes</span><span class="w"> </span><span class="k">before</span><span class="w"> </span><span class="mi">1</span><span class="o">-</span><span class="n">byte</span><span class="w"> </span><span class="n">region</span><span class="w"> </span><span class="o">[</span><span class="n">0x50200012a8d0,0x50200012a8d1)</span> <span class="n">allocated by thread T0 here:</span> <span class="n"> #0 0x72581a4fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69</span> <span class="n"> #1 0x725819ad0259 in SFD_GetFontMetaData /home/wmliang/fontforge/fontforge/sfd.c:8268</span> <span class="n">SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wmliang/fontforge/fontforge/sfd.c:8268 in SFD_GetFontMetaData</span> <span class="n">Shadow bytes around the buggy address:</span> <span class="n"> 0x50200012a600: fa fa 05 fa fa fa 00 02 fa fa 00 02 fa fa 07 fa</span> <span class="n"> 0x50200012a680: fa fa 02 fa fa fa 02 fa fa fa 01 fa fa fa 04 fa</span> <span class="n"> 0x50200012a700: fa fa 02 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa</span> <span class="n"> 0x50200012a780: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa</span> <span class="n"> 0x50200012a800: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa</span> <span class="n">=&gt;0x50200012a880: fa fa 02 fa fa fa 01 fa fa[fa</span><span class="o">]</span><span class="mi">01</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span> <span class="w"> </span><span class="mh">0x50200012a900</span><span class="err">:</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span> <span class="w"> </span><span class="mh">0x50200012a980</span><span class="err">:</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span> <span class="w"> </span><span class="mh">0x50200012aa00</span><span class="err">:</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span> <span class="w"> </span><span class="mh">0x50200012aa80</span><span class="err">:</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span> <span class="w"> </span><span class="mh">0x50200012ab00</span><span class="err">:</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span><span class="w"> </span><span class="n">fa</span> <span class="n">Shadow</span><span class="w"> </span><span class="n">byte</span><span class="w"> </span><span class="n">legend</span><span class="w"> </span><span class="p">(</span><span class="n">one</span><span class="w"> </span><span class="n">shadow</span><span class="w"> </span><span class="n">byte</span><span class="w"> </span><span class="n">represents</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="n">application</span><span class="w"> </span><span class="n">bytes</span><span class="p">)</span><span class="err">:</span> <span class="w"> </span><span class="nl">Addressable</span><span class="p">:</span><span class="w"> </span><span class="mi">00</span> <span class="w"> </span><span class="n">Partially</span><span class="w"> </span><span class="nl">addressable</span><span class="p">:</span><span class="w"> </span><span class="mi">01</span><span class="w"> </span><span class="mi">02</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="mi">04</span><span class="w"> </span><span class="mi">05</span><span class="w"> </span><span class="mi">06</span><span class="w"> </span><span class="mi">07</span> <span class="w"> </span><span class="n">Heap</span><span class="w"> </span><span class="nf">left</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">fa</span> <span class="w"> </span><span class="n">Freed</span><span class="w"> </span><span class="n">heap</span><span class="w"> </span><span class="nl">region</span><span class="p">:</span><span class="w"> </span><span class="n">fd</span> <span class="w"> </span><span class="n">Stack</span><span class="w"> </span><span class="nf">left</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">f1</span> <span class="w"> </span><span class="n">Stack</span><span class="w"> </span><span class="n">mid</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">f2</span> <span class="w"> </span><span class="n">Stack</span><span class="w"> </span><span class="nf">right</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">f3</span> <span class="w"> </span><span class="n">Stack</span><span class="w"> </span><span class="k">after</span><span class="w"> </span><span class="k">return</span><span class="err">:</span><span class="w"> </span><span class="n">f5</span> <span class="w"> </span><span class="n">Stack</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="k">after</span><span class="w"> </span><span class="k">scope</span><span class="err">:</span><span class="w"> </span><span class="n">f8</span> <span class="w"> </span><span class="k">Global</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">f9</span> <span class="w"> </span><span class="k">Global</span><span class="w"> </span><span class="n">init</span><span class="w"> </span><span class="k">order</span><span class="err">:</span><span class="w"> </span><span class="n">f6</span> <span class="w"> </span><span class="n">Poisoned</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="k">user</span><span class="err">:</span><span class="w"> </span><span class="n">f7</span> <span class="w"> </span><span class="n">Container</span><span class="w"> </span><span class="nl">overflow</span><span class="p">:</span><span class="w"> </span><span class="n">fc</span> <span class="w"> </span><span class="k">Array</span><span class="w"> </span><span class="nl">cookie</span><span class="p">:</span><span class="w"> </span><span class="n">ac</span> <span class="w"> </span><span class="n">Intra</span><span class="w"> </span><span class="k">object</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">bb</span> <span class="w"> </span><span class="n">ASan</span><span class="w"> </span><span class="nl">internal</span><span class="p">:</span><span class="w"> </span><span class="n">fe</span> <span class="w"> </span><span class="nf">Left</span><span class="w"> </span><span class="n">alloca</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">ca</span> <span class="w"> </span><span class="nf">Right</span><span class="w"> </span><span class="n">alloca</span><span class="w"> </span><span class="nl">redzone</span><span class="p">:</span><span class="w"> </span><span class="n">cb</span> <span class="o">==</span><span class="mi">13734</span><span class="o">==</span><span class="n">ABORTING</span> </code></pre></div> <p>-- CREDIT ---------------------------------------<br/> This vulnerability was discovered by:<br/> Anonymous working with Trend Micro Zero Day Initiative</p> <p>-- FURTHER DETAILS ------------------------------</p> <p>Supporting files:</p> <p>If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.</p> <p>Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:</p> <p>Zero Day Initiative<br/> zdi-disclosures@trendmicro.com</p> <p>The PGP key used for all ZDI vendor communications is available from:</p> <p><a href="http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc" rel="nofollow">http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc</a></p> <p>-- INFORMATION ABOUT THE ZDI --------------------<br/> Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.</p> <p>Please contact us for further details or refer to:</p> <p><a href="http://www.zerodayinitiative.com" rel="nofollow">http://www.zerodayinitiative.com</a></p> <p>-- DISCLOSURE POLICY ----------------------------</p> <p>Our vulnerability disclosure policy is available online at:</p> <p><a href="http://www.zerodayinitiative.com/advisories/disclosure_policy/" rel="nofollow">http://www.zerodayinitiative.com/advisories/disclosure_policy/</a></p></div>Zero Day InitiativeFri, 12 Dec 2025 15:55:21 -0000https://sourceforge.net41f93098cb5bae6a508482a0e3a8950d2ab13c68