-----=====[ Background ]=====-----

The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.

The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.

-----=====[ Description ]=====-----

We have encountered the following crash in fontsub!ComputeFormat4CmapData:

--- cut ---
(284c.42b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!ComputeFormat4CmapData+0x1e5:
00007fff`aa44d295 41897cc304      mov     dword ptr [r11+rax*8+4],edi ds:0000013d`775e8003=????????

0:000> ? r11
Evaluate expression: 1363507314687 = 0000013d`775e7fff

0:000> ? rax
Evaluate expression: 0 = 00000000`00000000

0:000> ? edi
Evaluate expression: 1 = 00000000`00000001

0:000> !heap -p -a r11
    address 0000013d775e7fff found in
    _DPH_HEAP_ROOT @ 13d77571000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             13d77572e38:      13d775e7fff                1 -      13d775e7000             2000
    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
    00007fffaa44fd1e FONTSUB!Mem_Alloc+0x0000000000000012
    00007fffaa448d1d FONTSUB!MergeFormat4Cmap+0x0000000000000261
    00007fffaa449788 FONTSUB!MergeCmapTables+0x00000000000004d4
    00007fffaa44b046 FONTSUB!MergeFonts+0x00000000000005a6
    00007fffaa44baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
    00007fffaa4414b2 FONTSUB!MergeFontPackage+0x0000000000000132
[...]

0:000> k
 # Child-SP          RetAddr           Call Site
00 0000000c`654fd180 00007fff`aa448e11 FONTSUB!ComputeFormat4CmapData+0x1e5
01 0000000c`654fd1e0 00007fff`aa449788 FONTSUB!MergeFormat4Cmap+0x355
02 0000000c`654fd2e0 00007fff`aa44b046 FONTSUB!MergeCmapTables+0x4d4
03 0000000c`654fd3c0 00007fff`aa44baac FONTSUB!MergeFonts+0x5a6
04 0000000c`654fd570 00007fff`aa4414b2 FONTSUB!MergeDeltaTTF+0x3ec
05 0000000c`654fd6b0 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---

The root cause of the crash seems to be the fact that the MergeFormat4Cmap() function may allocate a 0-sized buffer and pass it to ComputeFormat4CmapData() in the second argument, but the ComputeFormat4CmapData() function assumes that the buffer is at least 8 bytes long, and unconditionally writes two 32-bit values of -1 and 1 into it.

The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. In order to observe the crash, the PageHeap feature must be enabled in Application Verifier for the FontSub client process, preferably with the "/unaligned" and "/size 0 1" options. Attached are 3 proof of concept malformed font files which trigger the crash.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47113.zip