[Bug 1191085] CVE-2014-9663 freetype: out-of-bounds read in tt_cmap4_validate()

bugzilla at redhat.com bugzilla at redhat.com
Fri Feb 20 21:57:41 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1191085

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|medium                      |low
   Fixed In Version|                            |freetype 2.5.4
            Summary|CVE-2014-9663 freetype:     |CVE-2014-9663 freetype:
                   |out-of-bounds read in the   |out-of-bounds read in
                   |tt_cmap4_validate function  |tt_cmap4_validate()
                   |in sfnt/ttcmap.c            |
         Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124,
                   |1124,reported=20150210,sour |reported=20150210,source=cv
                   |ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=2.6/AV:N/AC:H/Au:N/
                   |Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-125,rhe
                   |/freetype=affected,rhel-5/f |l-4/freetype=wontfix,rhel-5
                   |reetype=new,rhel-6/freetype |/freetype=wontfix,rhel-6/fr
                   |=new,rhel-7/freetype=new    |eetype=affected,rhel-7/free
                   |                            |type=affected,rhev-m-3/ming
                   |                            |w-virt-viewer=affected,fedo
                   |                            |ra-all/freetype=affected,fe
                   |                            |dora-all/mingw-freetype=aff
                   |                            |ected,epel-7/mingw-freetype
                   |                            |=affected
           Severity|medium                      |low



--- Comment #4 from Tomas Hoger <thoger at redhat.com> ---
Upstream bug is:
https://savannah.nongnu.org/bugs/?43656

Issue was fixed upstream in 2.5.4.

This is a very limited buffer over-read.  Two bytes are read from at max 7th
and 8th byte after the end of the buffer.  After that, another check is reached
that detects the problem.  This is rather unlikely to cause crash.

Issue is caused by a misplaced check to ensure enough input it still available
for further parsing.  After the check, length variable indicating remaining
input size is decremented to the size of the actually available data.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=WUnMucqzZC&a=cc_unsubscribe


More information about the fonts-bugs mailing list