[Bug 1191085] CVE-2014-9663 freetype: out-of-bounds read in tt_cmap4_validate()
bugzilla at redhat.com
bugzilla at redhat.com
Fri Feb 20 21:57:41 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1191085
Tomas Hoger <thoger at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |low
Fixed In Version| |freetype 2.5.4
Summary|CVE-2014-9663 freetype: |CVE-2014-9663 freetype:
|out-of-bounds read in the |out-of-bounds read in
|tt_cmap4_validate function |tt_cmap4_validate()
|in sfnt/ttcmap.c |
Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124,
|1124,reported=20150210,sour |reported=20150210,source=cv
|ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=2.6/AV:N/AC:H/Au:N/
|Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-125,rhe
|/freetype=affected,rhel-5/f |l-4/freetype=wontfix,rhel-5
|reetype=new,rhel-6/freetype |/freetype=wontfix,rhel-6/fr
|=new,rhel-7/freetype=new |eetype=affected,rhel-7/free
| |type=affected,rhev-m-3/ming
| |w-virt-viewer=affected,fedo
| |ra-all/freetype=affected,fe
| |dora-all/mingw-freetype=aff
| |ected,epel-7/mingw-freetype
| |=affected
Severity|medium |low
--- Comment #4 from Tomas Hoger <thoger at redhat.com> ---
Upstream bug is:
https://savannah.nongnu.org/bugs/?43656
Issue was fixed upstream in 2.5.4.
This is a very limited buffer over-read. Two bytes are read from at max 7th
and 8th byte after the end of the buffer. After that, another check is reached
that detects the problem. This is rather unlikely to cause crash.
Issue is caused by a misplaced check to ensure enough input it still available
for further parsing. After the check, length variable indicating remaining
input size is decremented to the size of the actually available data.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=WUnMucqzZC&a=cc_unsubscribe
More information about the fonts-bugs
mailing list