[Bug 800604] CVE-2012-1142 freetype: incorrect computation of number of glyphs in FNT_Face_Init() for FNT/FON files (#35659)

bugzilla at redhat.com bugzilla at redhat.com
Fri Mar 16 14:45:56 UTC 2012

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
            Summary|CVE-2012-1142 freetype:     |CVE-2012-1142 freetype:
                   |Out-of heap-based buffer    |incorrect computation of
                   |write by retrieval of       |number of glyphs in
                   |advance values for glyph    |FNT_Face_Init() for FNT/FON
                   |outlines (FU#35659)         |files (#35659)
  Status Whiteboard|impact=important,public=201 |impact=important,public=201
                   |20301,reported=20120302,sou |20301,reported=20120302,sou
                   |rce=google,cvss2=6.8/AV:N/A |rce=google,cvss2=6.8/AV:N/A
                   |C:M/Au:N/C:P/I:P/A:P,rhel-5 |C:M/Au:N/C:P/I:P/A:P,rhel-5
                   |/freetype=affected,rhel-6/f |/freetype=affected,rhel-6/f
                   |reetype=affected,fedora-all |reetype=affected,fedora-all
                   |/freetype=affected          |/freetype=affected,fedora-a
                   |                            |ll/mingw32-freetype=affecte
                   |                            |d

--- Comment #7 from Tomas Hoger <thoger at redhat.com> 2012-03-16 10:45:54 EDT ---
This flaw is in the driver for reading Windows FNT/FON file (i.e. not TTF files
as mentioned in comment #0).  FreeType did not check that last_char >=
first_char, which resulted in incorrect computation of the number of glyphs in
the file.  The number of glyphs was set to a negative value.

When using ftbench, this resulted in NULL pointer dereference, as ftbench's
test_load_advances uses num_glyphs as argument to calloc, but does not check
its return value.  The impact on different applications using freetype may be

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list