[Bug 800595] CVE-2012-1137 freetype: heap buffer off-by-one in BDF parsing _bdf_list_ensure() (#35643)

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 15 14:24:12 UTC 2012

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
            Summary|CVE-2012-1137 freetype:     |CVE-2012-1137 freetype:
                   |Out-of heap-based buffer    |heap buffer off-by-one in
                   |read by parsing BDF font    |BDF parsing
                   |header (FU#35643)           |_bdf_list_ensure() (#35643)
  Status Whiteboard|impact=low,public=20120227, |impact=low,public=20120227,
                   |reported=20120302,source=go |reported=20120302,source=se
                   |ogle,cvss2=4.3/AV:N/AC:M/Au |calert,cvss2=4.3/AV:N/AC:M/
                   |:N/C:N/I:N/A:P,rhel-5/freet |Au:N/C:N/I:N/A:P,rhel-4/fre
                   |ype=new,rhel-6/freetype=new |etype=notaffected,rhel-5/fr
                   |,fedora-all/freetype=new    |eetype=affected,rhel-6/free
                   |                            |type=affected,fedora-all/fr
                   |                            |eetype=affected,fedora-all/
                   |                            |mingw32-freetype=affected

--- Comment #2 from Tomas Hoger <thoger at redhat.com> 2012-03-15 10:24:11 EDT ---
This is an issue in _bdf_list_ensure() in bdflib.c.  When allocating field[]
array, a space for at least 4 items is allocated.  However, the rest of the
code assume that field[] always has at least 5 items.  This leads to an
off-by-one buffer over-read.  field[] items are char*, so this may cause
program to use an uninitialized pointer for reading and possibly crash.

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list