Apache NuttX RTOS Heap-Based Buffer Overflow Vulnerability in BDF Converter Utility

A heap-based buffer overflow vulnerability has been identified in the BDF converter font conversion utility of Apache NuttX RTOS. This out-of-bounds write issue arises from a loop termination condition that improperly relies on data from input files, allowing for user-controlled chunk allocation. The vulnerability affects versions 6.9 prior to 12.9.0. While the BDF converter is an optional tool not included in the standard NuttX RTOS or Applications runtime, users who actively utilize this converter may be exposed to risk when handling external user data, such as through publicly available automation.

Impact

Exploitation of this vulnerability can lead to a heap-based buffer overflow, a common vulnerability type that can be exploited to execute arbitrary code or cause a program to crash.

Reproduction

The vulnerability can be reproduced by compiling the BDF converter tool from the NuttX repository and running it with a crafted input file that exploits the loop termination condition. This can be done by initializing the 'readingbitmap' variable to the number of bitmaps allocated, decrementing it as each bitmap is processed, and using it to control the loop termination, ensuring the loop does not depend on potentially malicious data from the input file.

Remediation

Users are advised to upgrade to Apache NuttX version 12.9.0 or later, which addresses this vulnerability.