Comment by triclops200
1 year ago
Obviously the thought comes up of the fact that this feels unsafe to have WASM in font files, but, I'm also aware that font layout engines are already turing complete, which leads me to wonder: have there been any high profile malware font examples? That entire stack feels a lot like an attack surface to me, especially given stuff like the fact that windows used to render fonts in the kernel layer.
Multiple iOS jailbreaks--both by comex--were buffer overflows of the virtual machine stack due to bugs in how a few instructions were handled in freetype's implementation of true type font hinting. The resulting exploit was embedded in a PDF file (which was itself deployed by a website), but that was just a convenient way to embed the font and trigger very deterministic hinting: the bug wasn't in the PDF renderer, per se (though I imagine a lot of people were confused on that front in the popular press about the issue).
He open sourced the exploit concurrent to the website going up, and it was immediately adjusted for use against different targets (including FoxIt reader or something like that on Windows), and as freetype was used by a lot of Linux distributions in addition to iOS I imagine it was used in a ton of malware (which might or might not have been "high profile"). I actually use those vulnerabilities as a case study in the ethical trade offs of open source weaponization in my talks.
(There were two such jailbreaks, as there were/are separate implementations of two similar yet slightly different virtual machine versions, each of which had bugs that I remember to be related to the same fundamental mistake; and--as you can read about in another big thread on this website today, most developers think coming up with difficult abstractions isn't worth their effort and would rather fix things by playing whack-a-mole.)
Wasn't there also a Telugu glyph that could in some weird corner cases brick an iPhone?
Font layout engines are only Turing-complete if the stack is unbounded (to be fair: that's true actual computers too: they're not Turing-complete because they don't have infinite RAM), and AFAIK the major font engines all impose a quite strict limit on the stack size.
I suppose with WASM you can just write an infinite loop?
Font files already have embedded code for hinting. So while this might increase the attack surface somewhat, it was already there and I honestly trust wasm execution more than the severely underdocumented and poorly understood hinting VM.
https://www.truetype-typography.com/tthints.htm
Wasm is sandboxed, so it's not really any different than rendering a web view inside an app.
Note the author had to modify Gimp to get it to run the wasm. It's not something most apps would allow just for font rendering.
I only had to enable it in hafbuzz as gimp uses dynamic linking. So I luckily did not have to build it as well
> That entire stack feels a lot like an attack surface to me, especially given stuff like the fact that windows used to render fonts in the kernel layer.
Indeed. https://googleprojectzero.github.io/0days-in-the-wild/0day-R...
Something like that is the reason that most OSs have dropped support for Postscript Type 1 fonts.