Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • P pango
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 166
    • Issues 166
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 22
    • Merge requests 22
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • pango
  • Issues
  • #342
Closed
Open
Issue created Dec 16, 2018 by Ghost User@ghost

pango_log2vis_get_embedding_levels with incomplete unicode sequences may write out of bounds

Not sure if this has been reported already, but it came up in a recent CTF:

The following crashes with a segfault on latest pango:

#include <pango/pango.h>
#include <pango/pango-bidi-type.h>

int main() {
  PangoDirection dir = PANGO_DIRECTION_LTR;
  char* inp = "\xf8";
  printf("utf8 len %lu\n", g_utf8_strlen(inp, strlen(inp)));
  pango_log2vis_get_embedding_levels(inp, strlen(inp), &dir);
  return 0;
}

This happens because g_utf8_strlen("\xf8") is zero, so n_chars will be zero at this point: https://gitlab.gnome.org/GNOME/pango/blob/eb2c647ff693bf3218fd1772f11a008bfbc975e7/pango/pango-bidi-type.c#L173

But because length = 1, the loop at https://gitlab.gnome.org/GNOME/pango/blob/eb2c647ff693bf3218fd1772f11a008bfbc975e7/pango/pango-bidi-type.c#L181 still executes at least one time, leading to a NULL pointer dereference (g_new(.., 0) = NULL)).

In general, this issue leads to an out-of-bounds heap write and can be triggered via pango_itemize if the bytes passed to pango_itemize are user-controlled.

Assignee
Assign to
Time tracking