[Bug 800592] CVE-2012-1134 freetype: limited heap buffer overflow in Type1 parser T1_Get_Private_Dict() (#35608)

bugzilla at redhat.com bugzilla at redhat.com
Fri Mar 16 16:43:13 UTC 2012

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
            Summary|CVE-2012-1134 freetype:     |CVE-2012-1134 freetype:
                   |Out-of heap-based buffer    |limited heap buffer
                   |write in Type1 font parser  |overflow in Type1 parser
                   |by retrieving font's        |T1_Get_Private_Dict()
                   |private dictionary          |(#35608)
                   |(FU#35608)                  |
  Status Whiteboard|impact=important,public=201 |impact=important,public=201
                   |20223,reported=20120302,sou |20223,reported=20120302,sou
                   |rce=google,cvss2=6.8/AV:N/A |rce=google,cvss2=6.8/AV:N/A
                   |C:M/Au:N/C:P/I:P/A:P,rhel-5 |C:M/Au:N/C:P/I:P/A:P,rhel-5
                   |/freetype=affected,rhel-6/f |/freetype=affected,rhel-6/f
                   |reetype=affected,fedora-all |reetype=affected,fedora-all
                   |/freetype=affected          |/freetype=affected,fedora-a
                   |                            |ll/mingw32-freetype=affecte
                   |                            |d

--- Comment #7 from Tomas Hoger <thoger at redhat.com> 2012-03-16 12:43:11 EDT ---
The flaw here is in the T1_Get_Private_Dict() function.  It does not check that
private_dict[] (array of FT_Byte / unsigned char) has at least size of 4 before
overwriting first 4 characters with ' ' (space).

There are two possible cases in the function.  One is that private_dict[] is
allocated in the function using the size of less than 4.  That case is not an
issue, as the minimum chunk glibc malloc can allocate has 12 (on 32bit) or 24
(on 64bit) usable bytes.  Hence the overflow would only overwrite memory that
can be used by an application and does not lead to crash.  This overflow can be
detected by memory allocation checking tools as valgrind or AddressSanitizer,
as was demonstrated in the upstream bug report.

There is another possible case - private_dict[] may use part of the existing
base_dict[].  In that case, it may be possible for overflow to write out of the
usable memory, but the overflow is limited to 3 space characters.

Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the fonts-bugs mailing list