[Bug 800591] CVE-2012-1133 freetype: heap buffer underflow in BDF parser _bdf_parse_glyphs() (#35607)

bugzilla at redhat.com bugzilla at redhat.com
Fri Mar 16 12:41:03 UTC 2012

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


--- Comment #9 from Tomas Hoger <thoger at redhat.com> 2012-03-16 08:41:00 EDT ---
(In reply to comment #8)
> It seems this issue existed in old freetype versions.  It was later resolved
> via the following commit:
> http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=481838e2

Note there is additional follow up patch:


That patch add explicit conversion of p->glyph_enc to size_t for comparison
(which causes negative values to be converted to large positive unsigned
value).  However, as glyph_enc is (signed) long and the right side of the
comparison is of the size_t type, gcc does implicit conversion of the
p->glyph_enc to unsigned long and hence error is reported.

> The freetype packages in Red Hat Enterprise Linux 5 and 6 are based on
> upstream versions that include the fix.

freetype packages in Red Hat Enterprise Linux 5 and 6 include explicit
conversion to size_t, patch that was added to earlier Red Hat Enterprise Linux
versions does not include explicit type conversion.

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list