CVE-2022-40008

Vulnerability

A heap-buffer-overflow vulnerability exists in SWFTools commit 772e55a in the readU8 function at lib/ttf.c:83. The flaw is triggered during the parsing of the OS/2 table within os2_parse when processing a crafted TrueType font file. The readU8 function reads a single byte from a heap-allocated buffer that is smaller than expected, leading to an out-of-bounds read. [1]

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted TrueType font file to the ttftool utility. No authentication or special privileges are required; the attacker only needs to convince a user to process the malicious file. When ttftool parses the font, the readU8 function reads beyond the allocated heap region, as demonstrated by the AddressSanitizer output. [1]

Impact

Successful exploitation results in a heap-buffer-overflow read of one byte. This can cause a denial of service (crash) or potentially leak sensitive heap memory. The impact is limited to the ttftool process and does not provide code execution based on the available information. [1]

Mitigation

As of the publication date, no fix has been released for this vulnerability. The issue remains open in the SWFTools repository. Users should avoid processing untrusted TrueType font files with ttftool until a patch is available. [1]