CVE-2022-40009

Vulnerability

A heap-use-after-free vulnerability exists in SWFTools commit 772e55a in the grow_unicode function located in /lib/ttf.c. The bug occurs during the parsing of TrueType font tables via cmap_parse. When realloc is called to resize a memory region, the old pointer is freed, but a subsequent memset operation writes to the freed memory, causing a use-after-free. The affected version is the latest master commit 772e55a as reported in [1].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted TrueType font file to the ttftool utility. No authentication or special privileges are required; the attacker only needs to supply the malicious file as an argument. The tool processes the font, leading to the heap-use-after-free as shown in the AddressSanitizer trace in [1].

Impact

Successful exploitation results in a heap-use-after-free write, which typically causes a program crash (denial of service). Depending on memory layout, this vulnerability could potentially be leveraged for arbitrary code execution, though the reference only confirms a crash. The impact is limited to the ttftool process.

Mitigation

As of the publication date, no patch has been released for this vulnerability. The issue remains open in the SWFTools repository [1]. Users are advised to avoid processing untrusted TrueType font files with the affected version until a fix is available.