Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Font Subsetting DLL Stack Exhaustion at fontsub!GetComponentGlyphList #46

Open
xinali opened this issue Aug 22, 2019 · 0 comments
Open

Microsoft Font Subsetting DLL Stack Exhaustion at fontsub!GetComponentGlyphList #46

xinali opened this issue Aug 22, 2019 · 0 comments
Labels
FoundBugs

Comments

@xinali
Copy link
Owner

xinali commented Aug 22, 2019

Microsoft Font Subsetting DLL Stack Exhaustion at fontsub!GetComponentGlyphList

DDoS 微软说目前不打算修,没准将来会修,那就贴出来吧

Please excuse my poor English. I'm not a native speaker. I will do my best to describe this bug.

I test this on sytem

windows 10 professional
v1903 x64 bit

fontsub background

The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.

The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. I have tested CreateFontPackage with a fuzzer.

crash

when I use a specific ttf file with CreateFontPackage , it crashed

0:000> g
ModLoad: 00007ffb`a5190000 00007ffb`a51b2000   C:\WINDOWS\system32\fontsub.dll
ModLoad: 00007ffb`b44d0000 00007ffb`b456e000   C:\WINDOWS\System32\msvcrt.dll
(4dec.5240): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontsub!ReadWord+0x1c:
00007ffb`a51a953c e8cbfeffff      call    fontsub!CheckInOffset (00007ffb`a51a940c)

check stack call

0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffb`a51a98fe : 00000000`00000358 00000000`00000000 00000000`00000000 00007ffb`a51a9541 : fontsub!ReadWord+0x1c
01 00007ffb`a519cf56 : 00000097`c7eff318 00000097`c7e04141 00000000`00000000 00000000`00000000 : fontsub!ReadGeneric+0x116
02 00007ffb`a519cfe3 : 00000000`00000000 00000097`c7e041e8 00000000`00000000 00000000`00000000 : fontsub!GetGlyphHeader+0x102
03 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04211 000001bb`fd5b2718 00000000`00000000 : fontsub!GetComponentGlyphList+0x77
04 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e042e1 000001bb`fd5b2716 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
05 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e043b1 000001bb`fd5b2714 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
06 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04481 000001bb`fd5b2712 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
07 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04551 000001bb`fd5b2710 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
08 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04621 000001bb`fd5b270e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
09 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e046f1 000001bb`fd5b270c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
0a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e047c1 000001bb`fd5b270a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
0b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04891 000001bb`fd5b2708 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
0c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04961 000001bb`fd5b2706 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
0d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04a31 000001bb`fd5b2704 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
0e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04b01 000001bb`fd5b2702 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
0f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04bd1 000001bb`fd5b2700 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
10 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04ca1 000001bb`fd5b26fe 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
11 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04d71 000001bb`fd5b26fc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
12 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04e41 000001bb`fd5b26fa 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
13 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04f11 000001bb`fd5b26f8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
14 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e04fe1 000001bb`fd5b26f6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
15 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e050b1 000001bb`fd5b26f4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
16 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05181 000001bb`fd5b26f2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
17 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05251 000001bb`fd5b26f0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
18 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05321 000001bb`fd5b26ee 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
19 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e053f1 000001bb`fd5b26ec 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
1a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e054c1 000001bb`fd5b26ea 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
1b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05591 000001bb`fd5b26e8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
1c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05661 000001bb`fd5b26e6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
1d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05731 000001bb`fd5b26e4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
1e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05801 000001bb`fd5b26e2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
1f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e058d1 000001bb`fd5b26e0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
20 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e059a1 000001bb`fd5b26de 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
21 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05a71 000001bb`fd5b26dc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
22 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05b41 000001bb`fd5b26da 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
23 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05c11 000001bb`fd5b26d8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
24 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05ce1 000001bb`fd5b26d6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
25 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05db1 000001bb`fd5b26d4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
26 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05e81 000001bb`fd5b26d2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
27 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e05f51 000001bb`fd5b26d0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
28 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06021 000001bb`fd5b26ce 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
29 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e060f1 000001bb`fd5b26cc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
2a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e061c1 000001bb`fd5b26ca 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
2b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06291 000001bb`fd5b26c8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
2c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06361 000001bb`fd5b26c6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
2d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06431 000001bb`fd5b26c4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
2e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06501 000001bb`fd5b26c2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
2f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e065d1 000001bb`fd5b26c0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
30 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e066a1 000001bb`fd5b26be 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
31 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06771 000001bb`fd5b26bc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
32 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06841 000001bb`fd5b26ba 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
33 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06911 000001bb`fd5b26b8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
34 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e069e1 000001bb`fd5b26b6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
35 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06ab1 000001bb`fd5b26b4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
36 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06b81 000001bb`fd5b26b2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
37 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06c51 000001bb`fd5b26b0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
38 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06d21 000001bb`fd5b26ae 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
39 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06df1 000001bb`fd5b26ac 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
3a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06ec1 000001bb`fd5b26aa 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
3b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e06f91 000001bb`fd5b26a8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
3c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07061 000001bb`fd5b26a6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
3d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07131 000001bb`fd5b26a4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
3e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07201 000001bb`fd5b26a2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
3f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e072d1 000001bb`fd5b26a0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
40 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e073a1 000001bb`fd5b269e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
41 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07471 000001bb`fd5b269c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
42 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07541 000001bb`fd5b269a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
43 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07611 000001bb`fd5b2698 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
44 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e076e1 000001bb`fd5b2696 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
45 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e077b1 000001bb`fd5b2694 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
46 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07881 000001bb`fd5b2692 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
47 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07951 000001bb`fd5b2690 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
48 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07a21 000001bb`fd5b268e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
49 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07af1 000001bb`fd5b268c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
4a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07bc1 000001bb`fd5b268a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
4b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07c91 000001bb`fd5b2688 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
4c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07d61 000001bb`fd5b2686 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
4d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07e31 000001bb`fd5b2684 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
4e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07f01 000001bb`fd5b2682 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
4f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e07fd1 000001bb`fd5b2680 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
50 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e080a1 000001bb`fd5b267e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
51 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08171 000001bb`fd5b267c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
52 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08241 000001bb`fd5b267a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
53 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08311 000001bb`fd5b2678 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
54 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e083e1 000001bb`fd5b2676 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
55 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e084b1 000001bb`fd5b2674 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
56 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08581 000001bb`fd5b2672 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
57 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08651 000001bb`fd5b2670 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
58 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08721 000001bb`fd5b266e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
59 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e087f1 000001bb`fd5b266c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
5a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e088c1 000001bb`fd5b266a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
5b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08991 000001bb`fd5b2668 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
5c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08a61 000001bb`fd5b2666 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
5d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08b31 000001bb`fd5b2664 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
5e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08c01 000001bb`fd5b2662 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
5f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08cd1 000001bb`fd5b2660 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
60 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08da1 000001bb`fd5b265e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
61 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08e71 000001bb`fd5b265c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
62 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e08f41 000001bb`fd5b265a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
63 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09011 000001bb`fd5b2658 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
64 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e090e1 000001bb`fd5b2656 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
65 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e091b1 000001bb`fd5b2654 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
66 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09281 000001bb`fd5b2652 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
67 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09351 000001bb`fd5b2650 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
68 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09421 000001bb`fd5b264e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
69 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e094f1 000001bb`fd5b264c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
6a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e095c1 000001bb`fd5b264a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
6b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09691 000001bb`fd5b2648 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
6c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09761 000001bb`fd5b2646 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
6d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09831 000001bb`fd5b2644 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
6e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09901 000001bb`fd5b2642 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
6f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e099d1 000001bb`fd5b2640 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
70 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09aa1 000001bb`fd5b263e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
71 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09b71 000001bb`fd5b263c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
72 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09c41 000001bb`fd5b263a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
73 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09d11 000001bb`fd5b2638 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
74 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09de1 000001bb`fd5b2636 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
75 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09eb1 000001bb`fd5b2634 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
76 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e09f81 000001bb`fd5b2632 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
77 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a051 000001bb`fd5b2630 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
78 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a121 000001bb`fd5b262e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
79 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a1f1 000001bb`fd5b262c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
7a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a2c1 000001bb`fd5b262a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
7b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a391 000001bb`fd5b2628 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
7c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a461 000001bb`fd5b2626 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
7d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a531 000001bb`fd5b2624 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
7e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a601 000001bb`fd5b2622 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
7f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a6d1 000001bb`fd5b2620 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
80 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a7a1 000001bb`fd5b261e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
81 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a871 000001bb`fd5b261c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
82 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0a941 000001bb`fd5b261a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
83 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0aa11 000001bb`fd5b2618 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
84 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0aae1 000001bb`fd5b2616 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
85 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0abb1 000001bb`fd5b2614 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
86 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ac81 000001bb`fd5b2612 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
87 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ad51 000001bb`fd5b2610 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
88 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ae21 000001bb`fd5b260e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
89 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0aef1 000001bb`fd5b260c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
8a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0afc1 000001bb`fd5b260a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
8b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b091 000001bb`fd5b2608 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
8c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b161 000001bb`fd5b2606 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
8d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b231 000001bb`fd5b2604 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
8e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b301 000001bb`fd5b2602 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
8f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b3d1 000001bb`fd5b2600 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
90 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b4a1 000001bb`fd5b25fe 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
91 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b571 000001bb`fd5b25fc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
92 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b641 000001bb`fd5b25fa 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
93 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b711 000001bb`fd5b25f8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
94 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b7e1 000001bb`fd5b25f6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
95 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b8b1 000001bb`fd5b25f4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
96 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0b981 000001bb`fd5b25f2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
97 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ba51 000001bb`fd5b25f0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
98 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0bb21 000001bb`fd5b25ee 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
99 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0bbf1 000001bb`fd5b25ec 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
9a 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0bcc1 000001bb`fd5b25ea 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
9b 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0bd91 000001bb`fd5b25e8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
9c 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0be61 000001bb`fd5b25e6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
9d 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0bf31 000001bb`fd5b25e4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
9e 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c001 000001bb`fd5b25e2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
9f 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c0d1 000001bb`fd5b25e0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a0 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c1a1 000001bb`fd5b25de 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a1 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c271 000001bb`fd5b25dc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a2 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c341 000001bb`fd5b25da 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a3 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c411 000001bb`fd5b25d8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a4 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c4e1 000001bb`fd5b25d6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a5 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c5b1 000001bb`fd5b25d4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a6 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c681 000001bb`fd5b25d2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a7 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c751 000001bb`fd5b25d0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a8 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c821 000001bb`fd5b25ce 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
a9 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c8f1 000001bb`fd5b25cc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
aa 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0c9c1 000001bb`fd5b25ca 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ab 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ca91 000001bb`fd5b25c8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ac 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0cb61 000001bb`fd5b25c6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ad 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0cc31 000001bb`fd5b25c4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ae 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0cd01 000001bb`fd5b25c2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
af 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0cdd1 000001bb`fd5b25c0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b0 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0cea1 000001bb`fd5b25be 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b1 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0cf71 000001bb`fd5b25bc 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b2 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d041 000001bb`fd5b25ba 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b3 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d111 000001bb`fd5b25b8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b4 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d1e1 000001bb`fd5b25b6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b5 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d2b1 000001bb`fd5b25b4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b6 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d381 000001bb`fd5b25b2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b7 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d451 000001bb`fd5b25b0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b8 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d521 000001bb`fd5b25ae 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
b9 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d5f1 000001bb`fd5b25ac 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ba 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d6c1 000001bb`fd5b25aa 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
bb 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d791 000001bb`fd5b25a8 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
bc 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d861 000001bb`fd5b25a6 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
bd 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0d931 000001bb`fd5b25a4 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
be 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0da01 000001bb`fd5b25a2 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
bf 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0dad1 000001bb`fd5b25a0 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c0 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0dba1 000001bb`fd5b259e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c1 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0dc71 000001bb`fd5b259c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c2 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0dd41 000001bb`fd5b259a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c3 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0de11 000001bb`fd5b2598 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c4 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0dee1 000001bb`fd5b2596 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c5 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0dfb1 000001bb`fd5b2594 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c6 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e081 000001bb`fd5b2592 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c7 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e151 000001bb`fd5b2590 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c8 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e221 000001bb`fd5b258e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
c9 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e2f1 000001bb`fd5b258c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ca 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e3c1 000001bb`fd5b258a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
cb 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e491 000001bb`fd5b2588 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
cc 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e561 000001bb`fd5b2586 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
cd 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e631 000001bb`fd5b2584 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ce 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e701 000001bb`fd5b2582 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
cf 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e7d1 000001bb`fd5b2580 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d0 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e8a1 000001bb`fd5b257e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d1 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0e971 000001bb`fd5b257c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d2 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ea41 000001bb`fd5b257a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d3 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0eb11 000001bb`fd5b2578 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d4 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ebe1 000001bb`fd5b2576 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d5 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ecb1 000001bb`fd5b2574 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d6 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ed81 000001bb`fd5b2572 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d7 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ee51 000001bb`fd5b2570 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d8 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ef21 000001bb`fd5b256e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
d9 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0eff1 000001bb`fd5b256c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
da 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f0c1 000001bb`fd5b256a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
db 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f191 000001bb`fd5b2568 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
dc 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f261 000001bb`fd5b2566 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
dd 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f331 000001bb`fd5b2564 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
de 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f401 000001bb`fd5b2562 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
df 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f4d1 000001bb`fd5b2560 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e0 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f5a1 000001bb`fd5b255e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e1 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f671 000001bb`fd5b255c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e2 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f741 000001bb`fd5b255a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e3 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f811 000001bb`fd5b2558 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e4 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f8e1 000001bb`fd5b2556 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e5 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0f9b1 000001bb`fd5b2554 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e6 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0fa81 000001bb`fd5b2552 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e7 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0fb51 000001bb`fd5b2550 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e8 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0fc21 000001bb`fd5b254e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
e9 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0fcf1 000001bb`fd5b254c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ea 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0fdc1 000001bb`fd5b254a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
eb 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0fe91 000001bb`fd5b2548 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ec 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e0ff61 000001bb`fd5b2546 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ed 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10031 000001bb`fd5b2544 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ee 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10101 000001bb`fd5b2542 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ef 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e101d1 000001bb`fd5b2540 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f0 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e102a1 000001bb`fd5b253e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f1 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10371 000001bb`fd5b253c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f2 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10441 000001bb`fd5b253a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f3 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10511 000001bb`fd5b2538 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f4 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e105e1 000001bb`fd5b2536 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f5 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e106b1 000001bb`fd5b2534 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f6 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10781 000001bb`fd5b2532 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f7 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10851 000001bb`fd5b2530 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f8 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10921 000001bb`fd5b252e 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
f9 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e109f1 000001bb`fd5b252c 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
fa 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10ac1 000001bb`fd5b252a 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
fb 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10b91 000001bb`fd5b2528 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
fc 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10c61 000001bb`fd5b2526 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
fd 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10d31 000001bb`fd5b2524 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
fe 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10e01 000001bb`fd5b2522 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e
ff 00007ffb`a519d0fa : 00000000`00000364 00000097`c7e10ed1 000001bb`fd5b2520 00000000`00000000 : fontsub!GetComponentGlyphList+0x18e

It's too long...it may exhausted all stack memory

crash analysis

fontsub!GetComponentGlyphList has been called too many times.

Let's see it in ida

__int64 __fastcall GetComponentGlyphList(__int64 a1, int a2, unsigned __int16 *a3, __int64 a4, unsigned __int16 a5, unsigned __int16 *a6, unsigned __int16 a7, unsigned __int16 a8, unsigned int a9, int a10)
{
  __int64 v10; // rdi
  unsigned __int16 *v11; // rsi
  _QWORD *v12; // r13
  __int64 result; // rax
  unsigned __int16 v14; // ax
  unsigned int v15; // ebx
  unsigned int v16; // ebx
  unsigned __int16 v17; // r10
  char v18; // di
  int v19; // eax
  unsigned __int16 v20; // dx
  __int64 v21; // [rsp+20h] [rbp-61h]
  __int16 v22; // [rsp+50h] [rbp-31h]
  int v23; // [rsp+54h] [rbp-2Dh]
  __int16 v24; // [rsp+58h] [rbp-29h]
  __int64 v25; // [rsp+60h] [rbp-21h]
  __int16 v26; // [rsp+68h] [rbp-19h]

  v10 = a4;
  v25 = a4;
  v11 = a3;
  *a3 = 0;
  v12 = (_QWORD *)a1
  LODWORD(v21) = a10;
  result = GetGlyphHeader(a1, a2, a8, a9, v21, &v26, &v23, &v22);
  if ( !(_WORD)result )
  {
    if ( *a6 < a7 )
      *a6 = a7;
    if ( v26 >= 0 )
    {
LABEL_21:
      result = 0i64;
    }
    else
    {
      v14 = GetGenericSize(&GLYF_HEADER_CONTROL);
      v15 = v23 + v14;
      while ( *v11 < a5 )   // recursive condition, set breakpotin
      {
        result = ReadWord(v12, &v22, v15);
        if ( (_WORD)result )
          return result;
        v16 = v15 + 2;
        result = ReadWord(v12, &v23, v16);
        if ( (_WORD)result )
          return result;
        v17 = v23;
        *(_WORD *)(v10 + 2i64 * *v11) = v23;
        v18 = v22;
        v19 = v22 & 1;
        v20 = *v11 + 1;
        *v11 = v20;
        v15 = v16 + 2 * v19 + 4;
        if ( v18 & 8 )
        {
          v15 += 2;
        }
        else if ( v18 & 0x40 )
        {
          v15 += 4;
        }
        else if ( v18 < 0 )
        {
          v15 += 8;
        }
        result = GetComponentGlyphList(  //recursive call
                   (__int64)v12,
                   v17,
                   (unsigned __int16 *)&v24,
                   v25 + 2i64 * v20,
                   a5 - v20,
                   a6,
                   a7 + 1,
                   a8,
                   a9,
                   a10);
        if ( (_WORD)result )
          return result;
        if ( v24 )
          *v11 += v24;
        if ( !(v18 & 0x20) )
          goto LABEL_21;
        v10 = v25;
      }
      result = 1066i64;
    }
  }
  return result;
}

recursive condition

cmp     [rsi], r12w

watch [rsi] data

mov     rsi, r8
mov     [rsp+0C0h+var_90], rax
xor     ebx, ebx
lea     rax, [rbp+3Fh+var_58]
mov     [r8], bx // [rsi] always 0

you can see, [rsi] always is 0, if r12w is large, recursive call GetComponentGlyphList will cause stack exhaustion.

Conconlusion

If use a specific ttf file, it may cause some security issues.

The issue reproduces on a fully updated Windows 10 1903,I haven't tested on earlier versions of the system.

attachment is a poc ttf file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FoundBugs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xinali