-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered crashes in fontsub!ReadTableIntoStructure similar to the following:
--- cut ---
(7ac.378c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!ReadTableIntoStructure+0x378:
00007fff`c0874150 6689540110 mov word ptr [rcx+rax+10h],dx ds:000001f7`a7429010=????
0:000> ? rcx
Evaluate expression: 32 = 00000000`00000020
0:000> ? rax
Evaluate expression: 2163174707168 = 000001f7`a7428fe0
0:000> ? dx
Evaluate expression: 3 = 00000000`00000003
0:000> !heap -p -a rax
address 000001f7a7428fe0 found in
_DPH_HEAP_ROOT @ 1f7a7271000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1f7a7276c98: 1f7a7428fe0 20 - 1f7a7428000 2000
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffc0875562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02
00007fffc086b0a3 FONTSUB!MergeFonts+0x0000000000000603
00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132
[...]
0:000> k
# Child-SP RetAddr Call Site
00 000000d8`664fd3d0 00007fff`c0875599 FONTSUB!ReadTableIntoStructure+0x378
01 000000d8`664fd480 00007fff`c086b0a3 FONTSUB!MergeEblcEbdtTables+0xb39
02 000000d8`664fd690 00007fff`c086baac FONTSUB!MergeFonts+0x603
03 000000d8`664fd840 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec
04 000000d8`664fd980 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---
In total, we have discovered crashes in four different locations inside the ReadTableIntoStructure() function.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47265.zip