The flaw, which is officially designated as CVE-2020-15999, occurs in the way FreeType handles PNG images embedded in fonts using the Load_SBit_Png function. FreeType is a popular text rendering library that Chrome uses. According to the bug report filed by Sergei Glazunov, a security researcher from Google’s very own Project Zero team, the function has the following tasks:
1) Obtains the image width and height from the header as 32-bit integers.
2) Truncates the obtained values to 16 bit and stores them in a ‘TT_SBit_Metrics’ structure.
3) Uses the truncated values to calculate the bitmap size.
4) Allocates the backing store of that size. 5) Passes ‘png_struct’ and the backing store to a libpng function.
Glazunov further explains that since the libpng function uses 32-bit values instead of the truncated 16-bit values, a heap buffer overflow in FreeType could occur if the PNG’s width and/or height exceeds 65535, the highest possible allocated buffer or memory for this type of data. This would result in certain pieces of data being overwritten or corrupted and, overall, the program behaving differently. So, anyone who successfully exploits this bug could either allow remote execution of malicious code in the context of the browser or a complete compromise of the affected system.
Google didn’t further elaborate on how CVE-2020-15999 is being exploited to target its users, or who is possibly behind the exploitation.
Update your Chrome now
Chrome users are advised to update to the current browser version, 86.0.4240.111, to protect themselves from getting exploited. Development teams who use the same FreeType libraries should update to FreeType 2.10.4.