[Bug 800604] CVE-2012-1142 freetype: incorrect computation of number of glyphs in FNT_Face_Init() for FNT/FON files (#35659)
bugzilla at redhat.com
bugzilla at redhat.com
Fri Mar 16 14:45:56 UTC 2012
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=800604
Tomas Hoger <thoger at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CVE-2012-1142 freetype: |CVE-2012-1142 freetype:
|Out-of heap-based buffer |incorrect computation of
|write by retrieval of |number of glyphs in
|advance values for glyph |FNT_Face_Init() for FNT/FON
|outlines (FU#35659) |files (#35659)
Status Whiteboard|impact=important,public=201 |impact=important,public=201
|20301,reported=20120302,sou |20301,reported=20120302,sou
|rce=google,cvss2=6.8/AV:N/A |rce=google,cvss2=6.8/AV:N/A
|C:M/Au:N/C:P/I:P/A:P,rhel-5 |C:M/Au:N/C:P/I:P/A:P,rhel-5
|/freetype=affected,rhel-6/f |/freetype=affected,rhel-6/f
|reetype=affected,fedora-all |reetype=affected,fedora-all
|/freetype=affected |/freetype=affected,fedora-a
| |ll/mingw32-freetype=affecte
| |d
--- Comment #7 from Tomas Hoger <thoger at redhat.com> 2012-03-16 10:45:54 EDT ---
This flaw is in the driver for reading Windows FNT/FON file (i.e. not TTF files
as mentioned in comment #0). FreeType did not check that last_char >=
first_char, which resulted in incorrect computation of the number of glyphs in
the file. The number of glyphs was set to a negative value.
When using ftbench, this resulted in NULL pointer dereference, as ftbench's
test_load_advances uses num_glyphs as argument to calloc, but does not check
its return value. The impact on different applications using freetype may be
different.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the fonts-bugs
mailing list